Finding out what Kerberos information RACF has about you

Your user profile might contain Kerberos information about you. The Network Authentication Service component of z/OS® provides Kerberos support. The details RACF® lists from the KERB segment of the user's profile are:

The keys allowed for use (ENCRYPT).
The local Kerberos principal name (KERBNAME).
The maximum ticket life associated with this local principal (MAXTKTLFE).
The current Network Authentication Service key version (KEY VERSION). If there is no Network Authentication Service key associated with your user ID, KEY VERSION is not displayed.
The authenticator used to generate the current Network Authentication Service keys (KEY FROM).
- PASSWORD indicates that the current keys were derived from your password.
- PHRASE indicates that the current keys were derived from your password phrase.

Note: The RACF security administrator controls whether you can view all or some of the details of your Kerberos information.

The Kerberos information in LISTUSER output has the following format:

Figure 1. LISTUSER output: description of the Kerberos information

USER=DJONES

KERB INFORMATION
---------------
  KERBNAME= local Kerberos principle name
  MAXTKTLFE= maximum ticket life, in seconds
  KEY FROM= PASSWORD | PHRASE
  KEY VERSION= Network Authentication Service key version
  KEY ENCRYPTION TYPE= [DES | NODES] [DES3 | NODES3] [DESD | NODESD]
                       [AES128 | NOAES128]  [AES256 | NOAES256]

To see the Kerberos information contained in your user profile, issue the LISTUSER command as follows:

LISTUSER your-userid KERB NORACF

If there is Kerberos information in your profile, you see output similar to this:

Figure 2. LISTUSER output: sample Kerberos information

USER=DJONES

KERB INFORMATION
---------------
  KERBNAME= KERB01
  MAXTKTLFE= 0000043200
  KEY FROM= PASSWORD
  KEY VERSION= 001
  KEY ENCRYPTION TYPE= NODES DES3 NODESD AES128 NOAES256