z/OS Security Server RACF Callable Services
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Usage notes

z/OS Security Server RACF Callable Services
SA23-2293-00

Function code=X'0001':

  1. This service is intended for use by z/OS application servers. The service allows application servers with a GSS-API context token (created with the Kerberos V5 mechanism) to determine the Kerberos client principal associated with the token.
  2. This service requires that the Security Server Network Authentication Service be installed and running. Otherwise, SAF return code 8, RACF® return code 12, and RACF reason code 16 will be returned to the invoker.
  3. In a datasharing sysplex, there must be an Security Server Network Authentication Service instance running on each system in the sysplex. The Security Server Network Authentication Service instances must all be in the same realm and share the same RACF database (if they do not share the same database, then they cannot be in the same realm).
  4. An ALET must be specified for the SAF_return_code, RACF_return_code, and RACF_reason_code parameters, and a single ALET specified for all of the remaining paramenters.
  5. The parameter list for this callable service is intended to be variable length to allow for future expansion. To allow for this, the last word in the parameter list must have a 1 in the high-order (sign) bit. If the last word in the parameter list does not have a 1 in the high-order (sign) bit, the caller receives a parameter list error. The first parameter that can have the high-order bit on, ending the parameter list, is the Ticket_principal_userid parameter.
  6. A SAF return code 8 and a RACF return code 16 indicates that the Security Server Network Authentication Service was unable to process the input GSS-API token. The return code is passed back to the invoker as the RACF reason code. The following list shows some common return codes:
    • X'861B6D04' (G_BUFFER_ALLOC)=storage not available for GSS-API control block.
    • X'861B6D06' (G_WRONG_SIZE)=client principal name is too long for result buffer.
    • X'861B6D0B' (G_BAD_TOK_HEADER)=the GSS-API token header is incorrect.
    • X'861B6D58' (G_UNEXPECTED_TOKEN)=the GSS-API token was not created by the gss_init_sec_context() function.
    • X'861B6D60' (G_UNSUPPORTED_MECHANISM)=unsupported GSS-API security mechanism.
    • X'96C73A07'(KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN)=the current RACF userid is not associated with a Kerberos principal.
    • X'96C73A20'(KRB5KDC_AP_ERR_TKT_EXPIRED)=Kerberos ticket is expired.
    • X'96C73A25'(KRB5KDC_AP_ERR_SKEW)=Client and server clocks are not synchronized or authenticator is expired.
    • X'96C73A90'(KRB5KDC_AP_WRONG_PRINC)=the server principal in the GSS-API security token does not match the principal associated with the current RACF userid.
    • X'96C73C02'(KRB5_NOMEM)=storage not available for Kerberos control block.

Function code=X'0003': The parameter list for this callable service is intended to be variable length to allow for future expansion. To allow for this, the last word in the parameter list must have a 1 in the high-order (sign) bit. If the last word in the parameter list does not have a 1 in the high-order (sign) bit, the caller receives a parameter list error. Only the Application_Id parameter must have it's high order bit set when the function_code =X'0003'.

Parent topic: R_ticketserv (IRRSPK00): Parse or extract

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014