single signon restrictionsOpenEditionsee DCE Administration .Guide

ŸThe MVS user must have saved the current DCE password in the RACF

segment by invoking thestorepwDCE

command.

Note: Users still need

to

maintain

their passwords for RACF and Ope

DCE separately,

and

must

use

storepwthe DCE to keep the DCE

password that

is

stored

in

RACF current.

Single signon supportnotisintended to be used by application servers. Sin signon support should be enabled only for end users. For more informat

single signon restrictionsOpenEditionsee DCE Administration .Guide

Specifying

the DCE Encryption Key

 

 

 

 

 

 

 

 

 

 

The RACF KEYSMSTR class is a general resource class that contains the

 

DCE.PASSWORD.KEY

profile. This

profile

holds the encryption key that is u

for encrypting and decrypting a

user's DCE password for use in OpenE

single signon support. The profile

defined

to

the

KEYSMSTR

class

contains

SSIGNON

segment

that holds

either

the masked or encrypted value for

 

is used to encrypt DCE passwords

stored in the RACF database. Befor

OS/390

user can save a DCE password

in

the

RACF database

or

before

single

signon

feature can

be used,

the

security

administrator

must

d

to the KEYSMSTR class that defines

the

encryption

key,

and

activate

t

KEYSMSTR

class.

 

 

 

 

 

 

 

 

 

 

 

 

If a cryptographic product is present on the system, the security specify the KEYENCRYPTED sub-operand on the SSIGNON operand of the RDEFINE or RALTER command. If the KEYENCRYPTED sub-operand is specified, the cryptographic product must be active when the secur defines the profile to the KEYSMSTR class.

OS/390 OpenEdition DCE Application Considerations

OS/390 OpenEdition has two fundamental types of application servers:

ŸMultithreaded applications

Ÿ Single threaded applications

A multithreadedapplication has multiple sequential flows of control. In th application, more than one unit of work at a time is processed by application.

A single threadedapplication has one sequential flow of control. In this application, one unit of work is processed at a time by the applica

OS/390 OpenEdition provides an S/390 assembler callable

service and

suppo

through the C runtime library. This supportunau horizedenablesmultithreaded

 

 

 

applications to create and delete a RACF ACEE in a

fashion

that

is

me

controlled by the MVS OpenEdition kernel and RACF.unauthorizedThe term

 

 

 

 

refers

to applications

that

are not APF-authorized

and do

not

run

in

or in

a system

storage

protection

key.

 

 

 

 

 

The pthread_security_np

service

enables

multithreaded

applications

to

cust

the security environment of a thread, meaning that the thread can e

different RACF identity than the server. pthreadThe _usesecurityofnp the

 

callable s000000000 the C runtime librarypthread security_np()

API

requires

 

administration

by the security

administrator. Administrative consideratio

MVS OpenEdition

pthread_security_np

callable service

are

discussedOS/390

in

Chapter 7. Administration Considerations39

Page 63
Image 63
IBM GC28-1920-01 manual OS/390 OpenEdition DCE Application Considerations, the DCE Encryption Key