Generating IBM RACF PassTickets
An IBM RACF PassTicket is a temporary one-time password that is good for only a short period of time. The generation of the PassTicket requires a Userid and an Application Profile Name. To validate the PassTicket, the same Userid and same Application Profile Name must be used. The Application Profile Name must be defined to IBM RACF as the name of a PTKTDATA profile. IBM® Connect:Direct® allows the specification of a PassTicket Application ID in the AUTH file.
To identify a node as capable of generating PassTickets, the third parameter in the SECURITY.EXIT initialization parm must specify PSTKT as shown in the following example:
If a session is established with another Connect:Direct for z/OS® that also supports PassTicket generation, a PassTicket is generated under the following conditions:
- The PNODE is PassTicket capable.
- The SNODE is PassTicket capable.
- SNODEID= is specified without a password.
- The AUTH file contains an entry for this SNODEID/SNODE and PassTicket information is defined. The Application Profile Name is passed to the Stage 2 security exit to generate the PassTicket.
- The PassTicket is generated using the Application Profile Name and the SNODEID userid.
A generated PassTicket is passed to the SNODE as the Security Password for the SNODEID, along with an indication that a PassTicket is being used. When the SNODE receives a session start with an indication that a PassTicket is being used, it attempts to retrieve the Application Profile Name by looking in the AUTH file for an entry for the SubmitterID/PNODE with the PassTicket information defined. The Application Profile Name and SNODEID userid are used to validate the PassTicket.
PassTickets can also be used to access HFS files.
The following table describes the valid return codes from the stage 2 exit for signon, Process start, or security delete.
|8||Insufficient access authority; an SAFB008I is issued|
|20||Security system inactive (ACF only); an SAFB020I is issued|
If none of the return codes in the previous table are returned, IBM Connect:Direct issues the message SAFB003I.
The valid return codes for the data set create security call are:
|8||Insufficient access authority; an SVSA908I ABEND is issued|
|12||Invalid data in SQCB; a U2250 ABEND is issued|
|16||No storage available for GETMAIN; a U2251 ABEND is issued|
|20||Security system inactive; IBM Connect:Direct performs a STOP IMMEDIATE|
|24||ADJ node not allowed to send (RACF100I) or receive (RACF101I) and the node executing the exit is PNODE|
|28||ADJ node not allowed to send (RACF100I) or receive (RACF101I) and the node executing the exit is SNODE|
After control is returned from the exit to the DTF, the return code is set to 8 if the exit was run from PNODE and to 12 if the exit was run from SNODE.
If none of the return codes in the previous table are returned, IBM Connect:Direct ends abnormally with a U2252 ABEND.