Function code=X'0001':
- This service is intended for use by z/OS application
servers. The service allows application servers with a GSS-API context
token (created with the Kerberos V5 mechanism) to determine the Kerberos
client principal associated with the token.
- This service requires that the Security Server Network Authentication Service be installed
and running. Otherwise, SAF return code 8, RACF® return code 12, and RACF reason code 16 will be returned to the
invoker.
- In a datasharing sysplex, there must be an Security Server Network Authentication Service instance
running on each system in the sysplex. The Security Server Network Authentication Service instances
must all be in the same realm and share the same RACF database (if they do not share the same
database, then they cannot be in the same realm).
- An ALET must be specified for the SAF_return_code, RACF_return_code,
and RACF_reason_code parameters, and a single ALET specified for all
of the remaining paramenters.
- The parameter list for this callable service is intended to be
variable length to allow for future expansion. To allow for this,
the last word in the parameter list must have a 1 in the high-order
(sign) bit. If the last word in the parameter list does not have a
1 in the high-order (sign) bit, the caller receives a parameter list
error. The first parameter that can have the high-order bit on, ending
the parameter list, is the Ticket_principal_userid parameter.
- A SAF return code 8 and a RACF return
code 16 indicates that the Security Server Network Authentication Service was
unable to process the input GSS-API token. The return code is passed
back to the invoker as the RACF reason
code. The following list shows some common return codes:
- X'861B6D04' (G_BUFFER_ALLOC)=storage not available for GSS-API
control block.
- X'861B6D06' (G_WRONG_SIZE)=client principal name is too long for
result buffer.
- X'861B6D0B' (G_BAD_TOK_HEADER)=the GSS-API token header is incorrect.
- X'861B6D58' (G_UNEXPECTED_TOKEN)=the GSS-API token was not created
by the gss_init_sec_context() function.
- X'861B6D60' (G_UNSUPPORTED_MECHANISM)=unsupported GSS-API security
mechanism.
- X'96C73A07'(KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN)=the current RACF userid is not associated with
a Kerberos principal.
- X'96C73A20'(KRB5KDC_AP_ERR_TKT_EXPIRED)=Kerberos ticket is expired.
- X'96C73A25'(KRB5KDC_AP_ERR_SKEW)=Client and server clocks are
not synchronized or authenticator is expired.
- X'96C73A90'(KRB5KDC_AP_WRONG_PRINC)=the server principal in the
GSS-API security token does not match the principal associated with
the current RACF userid.
- X'96C73C02'(KRB5_NOMEM)=storage not available for Kerberos control
block.
Function code=X'0003': The parameter list for this callable
service is intended to be variable length to allow for future expansion.
To allow for this, the last word in the parameter list must have a
1 in the high-order (sign) bit. If the last word in the parameter
list does not have a 1 in the high-order (sign) bit, the caller receives
a parameter list error. Only the Application_Id parameter must have
it's high order bit set when the function_code =X'0003'.