Re: ATTLS configuration
A belated thanks for the advice. Slow progress is being made. This is a sandbox system that I'm able to reconstruct quickly so making mistakes won't hurt and will probably help the learning process. Neale -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: ATTLS configuration
Neale
According to the a SHARE presentation ...
The SHARE presentation is good but it does state that it's skipped over some
steps for the sake of keeping the presentation within its time allocation.
Alternatively for a source which doesn't suffer from a time allocation, you
could use what I expect the authors imagine is a comprehensive description of
(a) what AT-TLS is all about and (b) how to implement it having - quite
cleverly IMO - used a sample client-server application (based on REXX) to
demonstrate how AT-TLS can support application based on TCP.[1]
Note that I can't vouch for this material because I have used it successfully,
merely that it exists and *probably* is useful.
... I then had to run some further RACF commands using
TCPIP.SEZAINST(EZARACF) as the starting point.
I hope you haven't misunderstood what was being said here. the EZARACF member
is designed to avoid excessive impact on the fingertips keying statements
related to creating your SAF environment - assuming you had chosen RACF as your
SAF program, of course.
It is only to be used once you have a very clear idea what your SAF environment
needs to look like, perhaps having used the sections in the redbook giving
sample RACF statements as an inspiration.
Has anyone gone through this process? If so, did you have a cheat sheet.
Do always recall There is no substitute for *understanding* what you are
doing.! Cheat sheets are to remind you of what you already know - but had
misplaced for the moment!
Incidentally, once you have got it all working, why not post the cheat sheet
you would like now to be able to use? TCP-IP-based NJE supported by AT-TLS
looks like it could be a popular combination. Maybe the redbook folk could use
it as an additional example in the set for the next release.
-
[1] As I understand it, I'm going to have to read up on all this myself one day
if only to satisfy my curiosity!
http://www.redbooks.ibm.com/abstracts/sg247899.html
-
Chris Mason
On Tue, 18 Oct 2011 16:37:44 -0500, Neale Ferguson ne...@sinenomine.net wrote:
I¹m attempting to enable ATTLS on my z/OS 1.12 and 1.9 systems for the
purpose of running secured NJE. I have installed the z/OS Configuration
Assistant to create the appropriate policies, created certificates on both
systems and placed them into the appropriate rings, and added the TCPCONFIG
TTLS statement.
According to the a SHARE presentation I then had to run some further RACF
commands using TCPIP.SEZAINST(EZARACF) as the starting point. It seems to me
that the order of statements in the job is strange (i.e. when doing the
INITSTACK stuff it refers to users defined further down in the job stream).
Also, I get the messages (below) from the EZARACF job. As far as I can tell
the ADDUSER syntax is correct so I'm not sure why it's complaining. Also, I
assume the REFRESH of RACLIST(SECLABEL) is failing because I've forgotten to
do something with SYSHIGH.
Has anyone gone through this process? If so, did you have a cheat sheet. The
SHARE presentation is good but it does state that it's skipped over some
steps for the sake of keeping the presentation within its time allocation.
ADDUSER NAMED DFLTGRP(OMVSGRP) OMVS(UID(0) HOME('/')) SECLABEL(SYSHIGH)
NOPASSWORD
IKJ56702I INVALID USERID, NAMED
IKJ56701I MISSING OMVS UID+
IKJ56701I MISSING OMVS USER ID (UID), 1-10 NUMERIC DIGITS
READY
PERMIT SYSHIGH CLASS(SECLABEL) ID(NAMED) ACC(READ)
READY
RDEFINE STARTED NAMED.* STDATA(USER(NAMED))
ICH10102I NAMED.* ALREADY DEFINED TO CLASS STARTED.
READY
SETROPTS RACLIST(STARTED) REFRESH
READY
SETROPTS GENERIC(STARTED) REFRESH
READY
SETROPTS RACLIST(SECLABEL) REFRESH
ICH14041I RACLIST REFRESH of class SECLABEL ignored. The class is not active
yet.
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: ATTLS configuration
-Original Message-
From: IBM Mainframe Discussion List On Behalf Of Neale Ferguson
I¹m attempting to enable ATTLS on my z/OS 1.12 and 1.9 systems for the
purpose of running secured NJE. I have installed the z/OS Configuration
Assistant to create the appropriate policies, created certificates on both
systems and placed them into the appropriate rings, and added the TCPCONFIG
TTLS statement.
According to the a SHARE presentation I then had to run some further RACF
commands using TCPIP.SEZAINST(EZARACF) as the starting point. It seems to me
that the order of statements in the job is strange (i.e. when doing the
INITSTACK stuff it refers to users defined further down in the job stream).
Also, I get the messages (below) from the EZARACF job. As far as I can tell
the ADDUSER syntax is correct so I'm not sure why it's complaining. Also, I
assume the REFRESH of RACLIST(SECLABEL) is failing because I've forgotten to
do something with SYSHIGH.
Has anyone gone through this process? If so, did you have a cheat sheet. The
SHARE presentation is good but it does state that it's skipped over some
steps for the sake of keeping the presentation within its time allocation.
ADDUSER NAMED DFLTGRP(OMVSGRP) OMVS(UID(0) HOME('/')) SECLABEL(SYSHIGH)
NOPASSWORD
IKJ56702I INVALID USERID, NAMED
Do you perchance have a Group called NAMED?
IKJ56701I MISSING OMVS UID+
IKJ56701I MISSING OMVS USER ID (UID), 1-10 NUMERIC DIGITS
READY
PERMIT SYSHIGH CLASS(SECLABEL) ID(NAMED) ACC(READ)
READY
RDEFINE STARTED NAMED.* STDATA(USER(NAMED))
ICH10102I NAMED.* ALREADY DEFINED TO CLASS STARTED.
READY
SETROPTS RACLIST(STARTED) REFRESH
READY
SETROPTS GENERIC(STARTED) REFRESH
READY
SETROPTS RACLIST(SECLABEL) REFRESH
ICH14041I RACLIST REFRESH of class SECLABEL ignored. The class is not active
yet.
Activating the SECLABEL class may have far-reaching, unintended consequences.
I'd suggest reading up on SECLABEL and be sure you understand all its
implications before activating it. you -can- get along without it (indeed, you
already are).
But if you decide to proceed, you first need to issue SETR CLASSACT(SECLABEL).
Then you can RACLIST it, REFRESH it, etc.
-jc-
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
ATTLS configuration
I¹m attempting to enable ATTLS on my z/OS 1.12 and 1.9 systems for the
purpose of running secured NJE. I have installed the z/OS Configuration
Assistant to create the appropriate policies, created certificates on both
systems and placed them into the appropriate rings, and added the TCPCONFIG
TTLS statement.
According to the a SHARE presentation I then had to run some further RACF
commands using TCPIP.SEZAINST(EZARACF) as the starting point. It seems to me
that the order of statements in the job is strange (i.e. when doing the
INITSTACK stuff it refers to users defined further down in the job stream).
Also, I get the messages (below) from the EZARACF job. As far as I can tell
the ADDUSER syntax is correct so I'm not sure why it's complaining. Also, I
assume the REFRESH of RACLIST(SECLABEL) is failing because I've forgotten to
do something with SYSHIGH.
Has anyone gone through this process? If so, did you have a cheat sheet. The
SHARE presentation is good but it does state that it's skipped over some
steps for the sake of keeping the presentation within its time allocation.
ADDUSER NAMED DFLTGRP(OMVSGRP) OMVS(UID(0) HOME('/')) SECLABEL(SYSHIGH)
NOPASSWORD
IKJ56702I INVALID USERID, NAMED
IKJ56701I MISSING OMVS UID+
IKJ56701I MISSING OMVS USER ID (UID), 1-10 NUMERIC DIGITS
READY
PERMIT SYSHIGH CLASS(SECLABEL) ID(NAMED) ACC(READ)
READY
RDEFINE STARTED NAMED.* STDATA(USER(NAMED))
ICH10102I NAMED.* ALREADY DEFINED TO CLASS STARTED.
READY
SETROPTS RACLIST(STARTED) REFRESH
READY
SETROPTS GENERIC(STARTED) REFRESH
READY
SETROPTS RACLIST(SECLABEL) REFRESH
ICH14041I RACLIST REFRESH of class SECLABEL ignored. The class is not active
yet.
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: ATTLS configuration
Neale,
A couple things here, does NAMED exist ? secondly does SECLABEL exist..
Scott J Ford
Software Engineer
http://www.identityforge.com
From: Neale Ferguson ne...@sinenomine.net
To: IBM-MAIN@bama.ua.edu
Sent: Tuesday, October 18, 2011 5:37 PM
Subject: ATTLS configuration
I¹m attempting to enable ATTLS on my z/OS 1.12 and 1.9 systems for the
purpose of running secured NJE. I have installed the z/OS Configuration
Assistant to create the appropriate policies, created certificates on both
systems and placed them into the appropriate rings, and added the TCPCONFIG
TTLS statement.
According to the a SHARE presentation I then had to run some further RACF
commands using TCPIP.SEZAINST(EZARACF) as the starting point. It seems to me
that the order of statements in the job is strange (i.e. when doing the
INITSTACK stuff it refers to users defined further down in the job stream).
Also, I get the messages (below) from the EZARACF job. As far as I can tell
the ADDUSER syntax is correct so I'm not sure why it's complaining. Also, I
assume the REFRESH of RACLIST(SECLABEL) is failing because I've forgotten to
do something with SYSHIGH.
Has anyone gone through this process? If so, did you have a cheat sheet. The
SHARE presentation is good but it does state that it's skipped over some
steps for the sake of keeping the presentation within its time allocation.
ADDUSER NAMED DFLTGRP(OMVSGRP) OMVS(UID(0) HOME('/')) SECLABEL(SYSHIGH)
NOPASSWORD
IKJ56702I INVALID USERID, NAMED
IKJ56701I MISSING OMVS UID+
IKJ56701I MISSING OMVS USER ID (UID), 1-10 NUMERIC DIGITS
READY
PERMIT SYSHIGH CLASS(SECLABEL) ID(NAMED) ACC(READ)
READY
RDEFINE STARTED NAMED.* STDATA(USER(NAMED))
ICH10102I NAMED.* ALREADY DEFINED TO CLASS STARTED.
READY
SETROPTS RACLIST(STARTED) REFRESH
READY
SETROPTS GENERIC(STARTED) REFRESH
READY
SETROPTS RACLIST(SECLABEL) REFRESH
ICH14041I RACLIST REFRESH of class SECLABEL ignored. The class is not active
yet.
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
