Defining External Signon Security

This article describes the following information:
idms
This article describes the following information:
2
2
Defining SRTT Entries
To secure system signon externally, add an entry to the SRTT for the signon (SGON) resource type.
The applicable resource name for the signon resource type is
system-identifier
; it matches the value in the SYSTEM ID parameter of the system generation SYSTEM statement. The name of the resource defined in the external system must match the system identifier.
The following examples for CA TSS and CA ACF2 show the relationships that must exist between the system identifier in system generation and the resource identifier in the external security definition; and between the resource class in the external security definition and the external class in the SRTT entry.
Example for CA Top Secret (TSS)
SYSGEN syntax
  MOD SYSTEM 120 SYSTEM ID IS IDMSD                               ▲                               │
CA TSS for z/OS syntax
        │                               └──┐                                  ▼ TSS PERMIT(user-identifier) SGO(IDMSD)                               ▲                                        │                              │
#SECRTT syntax 
              │                              │        #SECRTT TYPE=ENTRY,   │                              X                RESTYPE=SGON, │                              X                EXTCLS='SGO',◄┘                              X                EXTNAME=(RESNAME)
Example for CA ACF2
SYSGEN syntax
MOD SYSTEM 120 SYSTEM ID IS IDMSD                               ▲                               │
CA ACF2 for z/OS syntax
      │        ┌──────────────────────┘        ▼ $KEY(IDMSD) TYPE(SGO)◄──────────────────┐      UID(user-identifier)   ALLOW       │                                         │                                         │
#SECRTT syntax
                          │                                         │        #SECRTT TYPE=ENTRY,              │                              X                RESTYPE=SGON,            │                              X                EXTCLS='SGO', ◄──────────┘                              X                EXTNAME=(RESNAME)
Optionally Defining PassTickets
PassTickets can be used as an alternative to a password.
To use PassTickets for externally secured signon, add PassTicket definitions to the particular external security system being used. Depending on the external security system in use, these definitions can include:
  • Defining a resource class for PassTickets.
  • Granting ownership of the resource used for PassTickets.
  • Defining a session key for each application for which PassTickets are used.
  • Granting permission to a user to the resource used for PassTicket validation.
Determining Applid
The applid specified in the definition of the PassTicket to the external security system is a unique identifier for the CA IDMS CV system. It is composed of the first VTAM line defined to the system. If no VTAM lines exist, it is composed of the system nodename.
See the following sections for examples of the external security definitions needed to allow PassTicket use.
Example for CA Top Secret (CA TSS)
This CA TSS example shows the external security definitions needed to allow PassTicket use:
  1. Define the resource class PTKTDATA:
    TSS ADDTO(RDT) RESCLASS(PTKTDATA) ACLIST(ALL,READ,UPDATE) MAXLEN(37)
  2. Add IDMSDEPT department ownership for resources of class PTKTDATA:
    TSS ADDTO(
    IDMSDEPT
    ) PTKTDATA(IRRPTAUTH)
  3. Add a session key for each applid (PSTKAPPL):
    TSS ADDTO(NDT) PSTKAPPL(
    IDMSSY73
    ) SESSKEY(
    0123456789ABCDEF
    ) TSS ADDTO(NDT) PSTKAPPL(
    IDMSSY74
    ) SESSKEY(
    ABCDEF0123456789
    )
  4. Add permission for JOHN_SMITH to generate and use a PassTicket for SYSTEM 73:
    TSS PERMIT(JOHN_SMITH) PTKTDATA(IRRPTAUTH.
    IDMSSY73
    .JOHN_SMITH) ACCESS(READ,UPDATE)
Example for CA ACF2
This CA ACF2 example shows the external security definitions needed to allow PassTicket use:
  1. Define the CA IDMS PassTicket session key(s) and assign them to IDMS application IDs (or CV nodenames):
    SET PROFILE(PTKTDATA) DIVISION(SSIGNON) INSERT 
    IDMSSY73
     SSKEY(
    0123456789ABCDEF
    ) INSERT 
    IDMSSY74
     SSKEY(
    ABCDEF0123456789
    ) F ACF2,REBUILD(PTK),CLASS(P)  END
  2. Issue the following commands to assign PassTicket session key(s) for specific user(s) (here: JOHN_SMITH):
    ACFNRULE KEY(IRRPTAUTH) TYPE(PTK) ADD(
    IDMSSY73
    .JOHN_SMITH) UID(JOHN_SMITH) SERVICE(READ,UPDATE) ALLOW) F ACF2,REBUILD(PTK)
Example for IBM RACF
This IBM RACF example shows the external security definitions needed to allow PassTicket use:
  1. Issue the following commands to activate the PassTicket class:
    SETROPTS CLASSACT(PTKTDATA) SETROPTS RACLIST(PTKTDATA) SETROPTS GENERIC(PTKTDATA)
  2. Issue the following commands to define profile(s) for the IDMS application IDs (or CV nodenames) and specify the session key(s):
    RDEFINE PTKTDATA 
    IDMSSY73
     SSIGNON(KEYMASKED(0123456789ABCDEF)) UACC(NONE) RDEFINE PTKTDATA 
    IDMSSY74
     SSIGNON(KEYMASKED(ABCDEF0123456789)) UACC(NONE)
  3. Issue the following commands to define profile(s) and enable UPDATE access to the IDMS PassTicket resource for specific user(s) (here: JOHN_SMITH):
    RDEFINE PTKTDATA IRRPTAUTH.
    IDMSSY73.JOHN_SMITH
     UACC(NONE) PERMIT IRRPTAUTH.
    IDMSSY73.JOHN_SMITH
     CLASS(PTKTDATA) ID(JOHN_SMITH) ACCESS(READ,UPDATE) RDEFINE PTKTDATA IRRPTAUTH.
    IDMSSY74.JOHN_SMITH
     UACC(NONE) PERMIT IRRPTAUTH.
    IDMSSY74.JOHN_SMITH
     CLASS(PTKTDATA) ID(JOHN_SMITH) ACCESS(READ,UPDATE)
  4. Issue the following command to refresh the PTKTDATA class:
    SETROPTS RACLIST(PTKTDATA) REFRESH
External Signon Security Checking
External signon security checking consists of two phases:
  1. Validation of the executing user in the external security system.
  2. If the first phase is successful, a check on the user authority to access the system identified in the current request.
 
For more information about Pass Tickets and external signon security checkcing, se Signon Processing (CA IDMS)