PassTickets

A PassTicket is a one-time only password that is generated for a specific RACF® user ID to sign on to a specific application, by using a shared secret key. A specific PassTicket can be used for authentication only once and it must be used within 10 minutes of being generated. A PassTicket can be used anywhere in z/OS® where a password can be used.

To see which CICS® access methods support PassTickets, see Which authentication method can I use with which access method?

Why use PassTickets?

Using a PassTicket in place of a password means that applications do not have to store passwords (or ask users to reenter them) to authenticate to the destination system. Because a PassTicket is for one-time-use only, it is safer than a password because it cannot be captured and replayed.

You can configure CICS to allow an application to generate a PassTicket for the user that issues the request. This capability is useful when issuing outbound requests to run on z/OS that require basic authentication.

For more information about why you should consider PassTickets, see The RACF PassTicket.

How PassTickets work?

The originating system is the system where a PassTicket is generated. The destination system is the system that the signed-on user ID attempts to access with the PassTicket and where the PassTicket is authenticated.

The client on the originating system generates a PassTicket for the destination system by using the RACF PassTicket generator algorithm. For more information, see Incorporating the PassTicket generator algorithm into your program in z/OS Security Server RACF Macros and Interfaces.

If the originating system is CICS, to create a PassTicket for the signed-on user, your application issues the EXEC CICS REQUEST PASSTICKET, REQUEST ENCRYPTPTKT, or FEPI REQUEST PASSTICKET command to request RACF to generate a PassTicket. The regions that can generate a PassTicket are specified with the system initialization parameter XPTKT=YES.

The signed-on user ID attempts to access the destination system. That system authenticates the user ID and PassTicket with RACF. Existing commands and procedures can be used for authentication.

Figure 1 shows how one CICS region creates a PassTicket for a signed-on user to access another system.

Figure 1. PassTickets
passtickets

When CICS authenticates the user ID and PassTicket, it calls RACF to check whether the PassTicket supplied is for the specified user ID for that region. A check might verify that the specified user ID is connected to the specified group ID.

If the PassTicket times out because, for example, of a session failure, your application must generate another before it attempts to sign on again. Repeated failed sign-on attempts with PassTickets can result in the user ID being revoked. If a user ID is revoked, a request for a PassTicket succeeds but an attempt to sign on with that user ID and PassTicket fails.

PassTickets are not displayed when the CICS execution diagnostic facility (EDF) is used.

For information about configuring PassTickets, see Implementing PassTickets for secure sign-on.