> -----Original Message-----
> From: IBM Mainframe Discussion List On Behalf Of Neale Ferguson
>
> I¹m attempting to enable ATTLS on my z/OS 1.12 and 1.9 systems for the
> purpose of running secured NJE. I have installed the z/OS Configuration
> Assistant to create the appropriate policies, created certificates on both
> systems and placed them into the appropriate rings, and added the TCPCONFIG
> TTLS statement.
>
> According to the a SHARE presentation I then had to run some further RACF
> commands using TCPIP.SEZAINST(EZARACF) as the starting point. It seems to me
> that the order of statements in the job is strange (i.e. when doing the
> INITSTACK stuff it refers to users defined further down in the job stream).
>
> Also, I get the messages (below) from the EZARACF job. As far as I can tell
> the ADDUSER syntax is correct so I'm not sure why it's complaining. Also, I
> assume the REFRESH of RACLIST(SECLABEL) is failing because I've forgotten to
> do something with SYSHIGH.
>
> Has anyone gone through this process? If so, did you have a cheat sheet. The
> SHARE presentation is good but it does state that it's skipped over some
> steps for the sake of keeping the presentation within its time allocation.
>
> ADDUSER NAMED DFLTGRP(OMVSGRP) OMVS(UID(0) HOME('/')) SECLABEL(SYSHIGH)
> NOPASSWORD
> IKJ56702I INVALID USERID, NAMED
Do you perchance have a Group called NAMED?
> IKJ56701I MISSING OMVS UID+
> IKJ56701I MISSING OMVS USER ID (UID), 1-10 NUMERIC DIGITS
> READY
> PERMIT SYSHIGH CLASS(SECLABEL) ID(NAMED) ACC(READ)
> READY
> RDEFINE STARTED NAMED.* STDATA(USER(NAMED))
> ICH10102I NAMED.* ALREADY DEFINED TO CLASS STARTED.
> READY
> SETROPTS RACLIST(STARTED) REFRESH
> READY
> SETROPTS GENERIC(STARTED) REFRESH
> READY
> SETROPTS RACLIST(SECLABEL) REFRESH
> ICH14041I RACLIST REFRESH of class SECLABEL ignored. The class is not active
> yet.
Activating the SECLABEL class may have far-reaching, unintended consequences.
I'd suggest "reading up" on SECLABEL and be sure you understand all its
implications before activating it. you -can- get along without it (indeed, you
already are).
But if you decide to proceed, you first need to issue SETR CLASSACT(SECLABEL).
Then you can RACLIST it, REFRESH it, etc.
-jc-
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
