at our shop we got a means to generate RACF passtickets based on the Users Windows-Credentials which we use for most accesses to z/OS systems. Currently CICSExplorer is one of the few Applications where the user still has to enter their RACF-Password.
Is there any way to create a plugin to enable the use of generated passtickets instead of using passwords?
Thanks for any suggestions.
This topic has been locked.
2 replies Latest Post - 2013-03-12T08:48:23Z by SystemAdmin
Pinned topic Using passtickets in CICS Explorer
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2013-03-12T08:48:23Z at 2013-03-12T08:48:23Z by SystemAdmin
JoeWinchester 110000DQA032 PostsACCEPTED ANSWER
Re: Using passtickets in CICS Explorer2013-03-07T10:17:42Z in response to SystemAdminHi,
Currently there is no way to use passtickets with the CICS Explorer. It's something we've always thought we would do when someone asked for it - so thanks for your post.
One thing that passtickets do is prevent the need for a password to ever flow "in clear text across a network connection (and in theory be vulnerable to some kind of man in the middle attack). If your TCP/IP connection is set to use SSL, and if the CICS Explorer connection is set to use SSL, then we will never flow the password or user ID in the clear. We made some improvements in CICS Explorer 5.1 for security (which doesn't need CICS TS 5.1 - it connects to all inservice releases of CICS and is our most current release)
I'm keen to learn about how you envisage this should work in the CICS Explorer - who is it that generates the passticket - is it the user of the application who generates one that you'd want to copy and paste into the explorer - or would the explorer user request the passticket and get e-mailed it - or would you want the CICS Explorer to generate the passticket and then use it ?
Best regards and many thanks,
SystemAdmin 110000D4XK270 PostsACCEPTED ANSWER
Re: Using passtickets in CICS Explorer2013-03-12T08:48:23Z in response to JoeWinchesterHi,
thanks for your answer.
For the most part this is about our developers convenience.
The plan runs along the following lines:
When CICS-Explorer tries to establish a CICS-Connection it contacts our own Passticket-Factory that int the authenticates the user based on its Windows-Session (via Kerberos) and provides the passticket that is then used in the CICS-Request.
My current thougts revolve around something like the ability to provide our own credentials-type via some plugin, so we would need an extension-point somewhere round there.
Thanks in advance for considering this issue.