IBM Security Z Security

 View Only
  • 1.  How to use multi ID

    IBM Champion
    Posted Fri March 24, 2023 01:16 PM

    I'm looking at using certificates to logon to z/OS ( using pthread_security_applid).  I can get a simple racdcert MAP to work - but Im stuck with the next step.
    is there any documentation for this leap.


    For example 

    RACDCERT MULTIID MAP WITHLABEL('CP1') TRUST - 
      IDNFILTER('cn=CA1,c=GB')      - 
      CRITERIA(APPLID=&APPLID) 
    RDEFINE DIGTCRIT APPLID=ZZZ  APPLDATA('ADCD1')

    works.. What do I need to  use for a different CA...

    RACDCERT MULTIID MAP WITHLABEL('CP2') TRUST - 
      IDNFILTER('cn=CA2,c=GB')      -  // different CA
      CRITERIA(APPLID=&APPLID) 
    RDEFINE DIGTCRIT APPLID=ZZZ  APPLDATA('ADCD2')  // use a different userid

    I cannot see which of the 

    RDEFINE DIGTCRIT APPLID=ZZZ  APPLDATA('ADCD1')

    RDEFINE DIGTCRIT APPLID=ZZZ  APPLDATA('ADCD2')

    gets used

    I cant find any examples in the documentation for this.

    Is there any doc to help me?



    ------------------------------
    Colin Paice
    ------------------------------


  • 2.  RE: How to use multi ID

    Posted Mon March 27, 2023 10:53 AM
    You may take a look at the RACF System  Administrator's Guide section: https://www.ibm.com/docs/en/zos/2.5.0?topic=criteria-example





  • 3.  RE: How to use multi ID

    IBM Champion
    Posted Tue March 28, 2023 03:43 AM
    Edited by Colin Paice Tue March 28, 2023 08:59 AM

    Hi Wai,

    Thanks for your reply...  by playing around I found my answer.

    What the documentation does not say, is that you can have any keyword in the criteria, as long as the substituted value has a DIGTCRIT.

    This means you can have

    RACDCERT MULTIID MAP ...    CRITERIA(ZORK7=&APPLID)

    and have statements like

    RDEFINE DIGTCRIT ZORK7=AAA APPLDATA('IBMUSER')
    RDEFINE DIGTRIT ZORK7=BBB APPLDATA('ADCDB')

    I'll raise a doc comment on this..  and I've blogged about it



    ------------------------------
    Colin Paice
    ------------------------------