Re: ATTLS configuration
A belated thanks for the advice. Slow progress is being made. This is a sandbox system that I'm able to reconstruct quickly so making mistakes won't hurt and will probably help the learning process. Neale -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: ATTLS configuration
Neale According to the a SHARE presentation ... The SHARE presentation is good but it does state that it's skipped over some steps for the sake of keeping the presentation within its time allocation. Alternatively for a source which doesn't suffer from a time allocation, you could use what I expect the authors imagine is a comprehensive description of (a) what AT-TLS is all about and (b) how to implement it having - quite cleverly IMO - used a sample client-server application (based on REXX) to demonstrate how AT-TLS can support application based on TCP.[1] Note that I can't vouch for this material because I have used it successfully, merely that it exists and *probably* is useful. ... I then had to run some further RACF commands using TCPIP.SEZAINST(EZARACF) as the starting point. I hope you haven't misunderstood what was being said here. the EZARACF member is designed to avoid excessive impact on the fingertips keying statements related to creating your SAF environment - assuming you had chosen RACF as your SAF program, of course. It is only to be used once you have a very clear idea what your SAF environment needs to look like, perhaps having used the sections in the redbook giving sample RACF statements as an inspiration. Has anyone gone through this process? If so, did you have a cheat sheet. Do always recall There is no substitute for *understanding* what you are doing.! Cheat sheets are to remind you of what you already know - but had misplaced for the moment! Incidentally, once you have got it all working, why not post the cheat sheet you would like now to be able to use? TCP-IP-based NJE supported by AT-TLS looks like it could be a popular combination. Maybe the redbook folk could use it as an additional example in the set for the next release. - [1] As I understand it, I'm going to have to read up on all this myself one day if only to satisfy my curiosity! http://www.redbooks.ibm.com/abstracts/sg247899.html - Chris Mason On Tue, 18 Oct 2011 16:37:44 -0500, Neale Ferguson ne...@sinenomine.net wrote: I¹m attempting to enable ATTLS on my z/OS 1.12 and 1.9 systems for the purpose of running secured NJE. I have installed the z/OS Configuration Assistant to create the appropriate policies, created certificates on both systems and placed them into the appropriate rings, and added the TCPCONFIG TTLS statement. According to the a SHARE presentation I then had to run some further RACF commands using TCPIP.SEZAINST(EZARACF) as the starting point. It seems to me that the order of statements in the job is strange (i.e. when doing the INITSTACK stuff it refers to users defined further down in the job stream). Also, I get the messages (below) from the EZARACF job. As far as I can tell the ADDUSER syntax is correct so I'm not sure why it's complaining. Also, I assume the REFRESH of RACLIST(SECLABEL) is failing because I've forgotten to do something with SYSHIGH. Has anyone gone through this process? If so, did you have a cheat sheet. The SHARE presentation is good but it does state that it's skipped over some steps for the sake of keeping the presentation within its time allocation. ADDUSER NAMED DFLTGRP(OMVSGRP) OMVS(UID(0) HOME('/')) SECLABEL(SYSHIGH) NOPASSWORD IKJ56702I INVALID USERID, NAMED IKJ56701I MISSING OMVS UID+ IKJ56701I MISSING OMVS USER ID (UID), 1-10 NUMERIC DIGITS READY PERMIT SYSHIGH CLASS(SECLABEL) ID(NAMED) ACC(READ) READY RDEFINE STARTED NAMED.* STDATA(USER(NAMED)) ICH10102I NAMED.* ALREADY DEFINED TO CLASS STARTED. READY SETROPTS RACLIST(STARTED) REFRESH READY SETROPTS GENERIC(STARTED) REFRESH READY SETROPTS RACLIST(SECLABEL) REFRESH ICH14041I RACLIST REFRESH of class SECLABEL ignored. The class is not active yet. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: ATTLS configuration
-Original Message- From: IBM Mainframe Discussion List On Behalf Of Neale Ferguson I¹m attempting to enable ATTLS on my z/OS 1.12 and 1.9 systems for the purpose of running secured NJE. I have installed the z/OS Configuration Assistant to create the appropriate policies, created certificates on both systems and placed them into the appropriate rings, and added the TCPCONFIG TTLS statement. According to the a SHARE presentation I then had to run some further RACF commands using TCPIP.SEZAINST(EZARACF) as the starting point. It seems to me that the order of statements in the job is strange (i.e. when doing the INITSTACK stuff it refers to users defined further down in the job stream). Also, I get the messages (below) from the EZARACF job. As far as I can tell the ADDUSER syntax is correct so I'm not sure why it's complaining. Also, I assume the REFRESH of RACLIST(SECLABEL) is failing because I've forgotten to do something with SYSHIGH. Has anyone gone through this process? If so, did you have a cheat sheet. The SHARE presentation is good but it does state that it's skipped over some steps for the sake of keeping the presentation within its time allocation. ADDUSER NAMED DFLTGRP(OMVSGRP) OMVS(UID(0) HOME('/')) SECLABEL(SYSHIGH) NOPASSWORD IKJ56702I INVALID USERID, NAMED Do you perchance have a Group called NAMED? IKJ56701I MISSING OMVS UID+ IKJ56701I MISSING OMVS USER ID (UID), 1-10 NUMERIC DIGITS READY PERMIT SYSHIGH CLASS(SECLABEL) ID(NAMED) ACC(READ) READY RDEFINE STARTED NAMED.* STDATA(USER(NAMED)) ICH10102I NAMED.* ALREADY DEFINED TO CLASS STARTED. READY SETROPTS RACLIST(STARTED) REFRESH READY SETROPTS GENERIC(STARTED) REFRESH READY SETROPTS RACLIST(SECLABEL) REFRESH ICH14041I RACLIST REFRESH of class SECLABEL ignored. The class is not active yet. Activating the SECLABEL class may have far-reaching, unintended consequences. I'd suggest reading up on SECLABEL and be sure you understand all its implications before activating it. you -can- get along without it (indeed, you already are). But if you decide to proceed, you first need to issue SETR CLASSACT(SECLABEL). Then you can RACLIST it, REFRESH it, etc. -jc- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
ATTLS configuration
I¹m attempting to enable ATTLS on my z/OS 1.12 and 1.9 systems for the purpose of running secured NJE. I have installed the z/OS Configuration Assistant to create the appropriate policies, created certificates on both systems and placed them into the appropriate rings, and added the TCPCONFIG TTLS statement. According to the a SHARE presentation I then had to run some further RACF commands using TCPIP.SEZAINST(EZARACF) as the starting point. It seems to me that the order of statements in the job is strange (i.e. when doing the INITSTACK stuff it refers to users defined further down in the job stream). Also, I get the messages (below) from the EZARACF job. As far as I can tell the ADDUSER syntax is correct so I'm not sure why it's complaining. Also, I assume the REFRESH of RACLIST(SECLABEL) is failing because I've forgotten to do something with SYSHIGH. Has anyone gone through this process? If so, did you have a cheat sheet. The SHARE presentation is good but it does state that it's skipped over some steps for the sake of keeping the presentation within its time allocation. ADDUSER NAMED DFLTGRP(OMVSGRP) OMVS(UID(0) HOME('/')) SECLABEL(SYSHIGH) NOPASSWORD IKJ56702I INVALID USERID, NAMED IKJ56701I MISSING OMVS UID+ IKJ56701I MISSING OMVS USER ID (UID), 1-10 NUMERIC DIGITS READY PERMIT SYSHIGH CLASS(SECLABEL) ID(NAMED) ACC(READ) READY RDEFINE STARTED NAMED.* STDATA(USER(NAMED)) ICH10102I NAMED.* ALREADY DEFINED TO CLASS STARTED. READY SETROPTS RACLIST(STARTED) REFRESH READY SETROPTS GENERIC(STARTED) REFRESH READY SETROPTS RACLIST(SECLABEL) REFRESH ICH14041I RACLIST REFRESH of class SECLABEL ignored. The class is not active yet. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: ATTLS configuration
Neale, A couple things here, does NAMED exist ? secondly does SECLABEL exist.. Scott J Ford Software Engineer http://www.identityforge.com From: Neale Ferguson ne...@sinenomine.net To: IBM-MAIN@bama.ua.edu Sent: Tuesday, October 18, 2011 5:37 PM Subject: ATTLS configuration I¹m attempting to enable ATTLS on my z/OS 1.12 and 1.9 systems for the purpose of running secured NJE. I have installed the z/OS Configuration Assistant to create the appropriate policies, created certificates on both systems and placed them into the appropriate rings, and added the TCPCONFIG TTLS statement. According to the a SHARE presentation I then had to run some further RACF commands using TCPIP.SEZAINST(EZARACF) as the starting point. It seems to me that the order of statements in the job is strange (i.e. when doing the INITSTACK stuff it refers to users defined further down in the job stream). Also, I get the messages (below) from the EZARACF job. As far as I can tell the ADDUSER syntax is correct so I'm not sure why it's complaining. Also, I assume the REFRESH of RACLIST(SECLABEL) is failing because I've forgotten to do something with SYSHIGH. Has anyone gone through this process? If so, did you have a cheat sheet. The SHARE presentation is good but it does state that it's skipped over some steps for the sake of keeping the presentation within its time allocation. ADDUSER NAMED DFLTGRP(OMVSGRP) OMVS(UID(0) HOME('/')) SECLABEL(SYSHIGH) NOPASSWORD IKJ56702I INVALID USERID, NAMED IKJ56701I MISSING OMVS UID+ IKJ56701I MISSING OMVS USER ID (UID), 1-10 NUMERIC DIGITS READY PERMIT SYSHIGH CLASS(SECLABEL) ID(NAMED) ACC(READ) READY RDEFINE STARTED NAMED.* STDATA(USER(NAMED)) ICH10102I NAMED.* ALREADY DEFINED TO CLASS STARTED. READY SETROPTS RACLIST(STARTED) REFRESH READY SETROPTS GENERIC(STARTED) REFRESH READY SETROPTS RACLIST(SECLABEL) REFRESH ICH14041I RACLIST REFRESH of class SECLABEL ignored. The class is not active yet. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html