Neale > According to the a SHARE presentation ...
> The SHARE presentation is good but it does state that it's skipped over some > steps for the sake of keeping the presentation within its time allocation. Alternatively for a source which doesn't suffer from a "time allocation", you could use what I expect the authors imagine is a comprehensive description of (a) what AT-TLS is all about and (b) how to implement it having - quite cleverly IMO - used a sample client-server "application" (based on REXX) to demonstrate how AT-TLS can support application based on TCP.[1] Note that I can't vouch for this material because I have used it successfully, merely that it exists and *probably* is useful. > ... I then had to run some further RACF commands using > TCPIP.SEZAINST(EZARACF) as the starting point. I hope you haven't misunderstood what was being said here. the EZARACF member is designed to avoid excessive impact on the fingertips keying statements related to creating your SAF environment - assuming you had chosen RACF as your SAF program, of course. It is only to be used once you have a very clear idea what your SAF environment needs to look like, perhaps having used the sections in the redbook giving sample RACF statements as an inspiration. > Has anyone gone through this process? If so, did you have a cheat sheet. Do always recall "There is no substitute for *understanding* what you are doing."! "Cheat sheets" are to remind you of what you already know - but had misplaced for the moment! Incidentally, once you have got it all working, why not post the "cheat sheet" you would like now to be able to use? TCP-IP-based NJE supported by AT-TLS looks like it could be a popular combination. Maybe the redbook folk could use it as an additional example in the set for the next release. - [1] As I understand it, I'm going to have to read up on all this myself one day if only to satisfy my curiosity! http://www.redbooks.ibm.com/abstracts/sg247899.html - Chris Mason On Tue, 18 Oct 2011 16:37:44 -0500, Neale Ferguson <[email protected]> wrote: >I¹m attempting to enable ATTLS on my z/OS 1.12 and 1.9 systems for the >purpose of running secured NJE. I have installed the z/OS Configuration >Assistant to create the appropriate policies, created certificates on both >systems and placed them into the appropriate rings, and added the TCPCONFIG >TTLS statement. > >According to the a SHARE presentation I then had to run some further RACF >commands using TCPIP.SEZAINST(EZARACF) as the starting point. It seems to me >that the order of statements in the job is strange (i.e. when doing the >INITSTACK stuff it refers to users defined further down in the job stream). > >Also, I get the messages (below) from the EZARACF job. As far as I can tell >the ADDUSER syntax is correct so I'm not sure why it's complaining. Also, I >assume the REFRESH of RACLIST(SECLABEL) is failing because I've forgotten to >do something with SYSHIGH. > >Has anyone gone through this process? If so, did you have a cheat sheet. The >SHARE presentation is good but it does state that it's skipped over some >steps for the sake of keeping the presentation within its time allocation. > >ADDUSER NAMED DFLTGRP(OMVSGRP) OMVS(UID(0) HOME('/')) SECLABEL(SYSHIGH) >NOPASSWORD >IKJ56702I INVALID USERID, NAMED >IKJ56701I MISSING OMVS UID+ >IKJ56701I MISSING OMVS USER ID (UID), 1-10 NUMERIC DIGITS >READY >PERMIT SYSHIGH CLASS(SECLABEL) ID(NAMED) ACC(READ) >READY >RDEFINE STARTED NAMED.* STDATA(USER(NAMED)) >ICH10102I NAMED.* ALREADY DEFINED TO CLASS STARTED. >READY >SETROPTS RACLIST(STARTED) REFRESH >READY >SETROPTS GENERIC(STARTED) REFRESH >READY >SETROPTS RACLIST(SECLABEL) REFRESH >ICH14041I RACLIST REFRESH of class SECLABEL ignored. The class is not active >yet. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
