Setting up PassTickets

For information about PassTickets, see How it works: PassTickets .

Before you begin

To use PassTickets, the systems involved must meet the following requirements:
  • The PassTicket generation and validation algorithm means that the system that generates the PassTicket (the originating system) and the system that authenticates it (the destination system) must both use a level of RACF® that supports PassTickets.
  • End users must use the same user ID in the destination system as the one that they use in the originating system.
  • Because PassTickets are time-stamped, the system clocks for the destination system and the originating system must be synchronized to within the valid time range. While legacy PassTickets are valid for 10 minutes before or after they are generated, enhanced PassTickets are valid only within the configured validity period which can be set between 1 second and 10 minutes. The default value for enhanced PassTickets is 1 minute. For more information about system time differences and synchronization, see Using PassTickets in z/OS Security Server RACF Security Administrator's Guide.

Procedure

  1. Define Secure Sign-on keys to enable the external security manager to process PassTickets.
    To process PassTickets, the external security manager uses Secure Sign-on keys that are shared by the originating system and the destination system. You must define a Secure Sign-on key for each destination system. For information about how to do this with RACF by defining profiles in the PTKTDATA resource class, see Using PassTickets in z/OS Security Server RACF Security Administrator's Guide.
  2. Define RACF profiles to allow an originating system to generate a PassTicket.
    It is strongly recommended that you limit PassTicket generation to only those regions that require it. The regions should be set with the system initialization parameter XPTKT=YES. This is the default.
    This is a profile for users on a specific originating system:
    RDEFINE PTKTDATA IRRPTAUTH.applid.* UACC(NONE)
PERMIT IRRPTAUTH.applid.* CLASS(PTKTDATA) ID(user) ACCESS(UPDATE)
    applid is the generic applid of the originating region.user is the user or group of users allowed to generate PassTickets on this region.
  3. Define RACF profiles to allow a destination region to accept a PassTicket. 
    RDEF PTKTDATA applid SSIGNON(key-description) UACC(NONE)

    applid is the generic applid of the destination region.

  4. If RACLIST is used on PTKTDATA, refresh the definitions.
    Issue SETR RACLIST(PTKTDATA) REFRESH.