What does an 8 8 40 on an R_DATALIB INITACEE IBM RACF callable service mean?

Document ID : KB000017635
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

What does an 8 8 40 on an R_DATALIB INITACEE IBM RACF callable mean?

Solution:

The 8 8 40 is received because both of the following conditions are true:

  1. There is no acid on the security file associated through Certificate Name Filtering with the digital certificate being passed on the R_DATALIB INITACEE IBM RACF callable service.

    In this example, users enter the system with a certificate subject that starts with:

    OU=NJ.OU=Sales.O=ABC Co

    These users are assigned ACID NJDEPT1 if the certificate was issued by the VeriSign certificate authority. If the subject matched but the certificate was issued by another certificate authority the user is assigned ACID NJDFLT.

    TSS ADD(NJDEPT1) CERTMAP(NJMAP1)
    LABLCMAP('NJ Dept 1 Map')
    TRUST
    IDNFILTR('OU=VeriSign Class 1 Individual Subscriber.O=VeriSign, Inc.L=Internet')
    SDNFILTR('OU=NJ.OU=Sales.O=ABC Co')
    TSS ADD(NJDFLT) CERTMAP(NJDFLT)
    LABLCMAP('NJ Default user')
    TRUST
    SDNFILTR('OU=NJ.OU=Sales.O=ABC Co')

  2. ***AND*** The certificate is not owned by any user on the CA Top Secret Security File.

    To own a certificate created by CA Top Secret use the TSS GENCERT command.

    Example:

    TSS GENCERT(owing_acid) DIGICERT(digicertname) SUBJECTN(xxxxxxxxxxxxxxxxx).

    To own a certificate not created by CA Top Secret use the TSS ADD command.

    Example:

    TSS ADD(owning_acid) DIGICERT(digicertname) DCDSN(certificate.dataset) TRUST

Please refer to the CA Top Secret Cookbook for more details about administering digital certificates and Certificate Name Filtering.