Authentication using PassTickets

You can use RACF PassTickets to authenticate the user that attempts to log in to OMEGAMON or make a SOAP request. This feature avoids storing password credentials in clear or managing the passwords by using the System Automation's password data set. It's an enhancement that is delivered with APAR OA64126.

The RACF PassTicket is a one-time-only password that can be generated by System Automation. For more information, see The RACF PassTicket in z/OS documentation.

Prerequisite

  • To use PassTickets for OMEGAMON log-ins, OMEGAMON authentication must be configured for SAF usage.
  • To use PassTickets for SOAP requests, the Hub TEMS must run on z/OS and Hub TEMS authentication must be configured for SAF usage.

Procedure

To use the z/OS® PassTickets function, complete the following setup activities.

  1. Activate the security class PTKTDATA. Optionally, if you want to use generic profiles, specify the GENERIC option with the command.
    SETROPTS CLASSACT(PTKTDATA) RACLIST(PTKTDATA) GENERIC(PTKTDATA)
  2. OMEGAMON security authenticates a user for a given SAF application name, which defaults to CANDLE. Create an application profile for the SAF application in class PTKTDATA. Specify the PassTicket key in the profile. For example, you can use the following approach:
    RDEFINE PTKTDATA CANDLE SSIGNON(EPTKEYLABEL(MY.HMAC.KEY))
  3. Grant access to appropriate users to call the INGOMX command.
    • To use PassTicket for OMEGAMON session authentication, the INGOMX caller must have READ access to the following resource in resource class SYSAUTO.
      AGT.sysplexname.saxcfgrp.RES._PASSTICKET.INGOMX.CLASSIC.userid
    • To use PassTicket for SOAP request authentication, the INGOMX caller must have READ access to the following resource in resource class SYSAUTO.
      AGT.sysplexname.saxcfgrp.RES._PASSTICKET.INGOMX.SOAP.userid
  4. For the settings to become active, refresh the PTKTDATA and SYSAUTO classes in the RACF® settings by using the SETROPTS command. 
    SETROPTS RACLIST(PTKTDATA) REFRESH
    SETROPTS RACLIST(SYSAUTO) REFRESH
  5. In addition, set the NetView SECOPTS.OPERSEC in the CNMSTGEN member to either option SAFCHECK or SAFDEF. This setting enables granular checking whether particular users or operators are authorized to create a PassTicket for themselves or anyone else.

After all updates are made in RACF and the CNMSTGEN member, PassTickets can be generated and evaluated by System Automation. Every target user that needs to work with the INGOMX command can use the PassTicket to authenticate their user IDs.

If authentication failed, ING168I message is issued in the syslog.
CALLER IS NOT AUTHORIZED TO GENERATE PASSTICKET REASON: reason
If the system was not able to generate a PassTicket, ING169I message is issued in the syslog. 
ING169I UNABLE TO GENERATE PASSTICKET REASON: rr

For more information about ING168I and ING169I messages, see the IBM Z® System Automation Messages and Codes manual.