RACF Secured Sign-on for ONC RPC clients

Stabilized feature: CICS® support for Open Network Computing Remote Procedure Call (ONC RPC) is stabilized. Consider exposing and orchestrating applications as API services by using z/OS Connect Enterprise Edition or CICS web services, or by writing web applications in Java or Node.js. See also Stabilization notices and discontinued functions.

RACF® Secured Sign-on support allows RPC clients to gain security access to CICS facilities by sending a PassTicket. This avoids the security hazard of a password being transmitted across the network in clear text.

PassTicket generation for ONC RPC clients

The algorithm that generates the PassTicket for an ONC RPC client is a function of the following items:

The CICS user ID of the client.
The CICS application ID of the CICS region running CICS ONC RPC.
A secured sign-on application key, known to both sides.
A time and date stamp.

To generate the PassTicket, the RPC client must:

Know its CICS user ID, the server CICS application ID, and the application key.
Synchronize its clock to within ten minutes of the server.
Have access to the encryption algorithm on its machine. Only the DES algorithm may be used.

For further information, see z/OS Security Server RACF System Programmer's Guide. This includes details of the algorithm that the RPC client must use to generate the PassTicket. This algorithm includes the DES algorithm.