Using the secured signon function

If your installation includes workstations and client machines that are operating in a client/server environment, you might want to use the RACF® secured signon function to provide enhanced security across a network. The secured signon function provides an alternative to the RACF password and password phrase called a PassTicket, which allows workstations and client machines to communicate with a host without using a RACF password or password phrase.

The secured signon function removes the need to send RACF passwords and password phrases across the network and allows you to move the user authentication part of signing on to a host from RACF to another product or function. End users of an application can use the PassTicket to authenticate their user IDs and log on to computer systems that contain RACF.

This topic describes the PassTicket and how to set up the secured signon environment. It includes information about:

Activating the PTKTDATA class
Defining profiles in the PTKTDATA class
The process RACF uses to validate a password or PassTicket
Enabling the use of PassTickets

For information about the programming that is needed for an application to generate a PassTicket, see z/OS Security Server RACF System Programmer's Guide.

¹ Because it only gives one user access to a specific application for approximately 10 minutes, a RACF PassTicket is resistant to reuse. For most applications, once a particular PassTicket is used, the same user cannot use it again for the same application during the same 10-minute interval.

By keeping a copy of all used valid PassTickets for the duration of the 10-minute interval during which they might possibly be used again, RACF provides another level of protection against reuse. For performance reasons, RACF uses main memory for this storage. If an application can run on more than one computer with individual memory at the same time, this level of reuse protection might not be available.