Generating IBM RACF PassTickets

An IBM RACF PassTicket is a temporary one-time password that is good for only a short period of time. The generation of the PassTicket requires a Userid and an Application Profile Name. To validate the PassTicket, the same Userid and same Application Profile Name must be used. The Application Profile Name must be defined to IBM RACF as the name of a PTKTDATA profile. IBM® Connect:Direct® allows the specification of a PassTicket Application ID in the AUTH file.

To identify a node as capable of generating PassTickets, the third parameter in the SECURITY.EXIT initialization parm must specify PSTKT as shown in the following example:

SECURITY.EXIT=(module name,DATASET|ALL,PSTKT)

If a session is established with another IBM Connect:Direct for z/OS® that also supports PassTicket generation, a PassTicket is generated under the following conditions:

  • The PNODE is PassTicket capable.
  • The SNODE is PassTicket capable.
  • SNODEID= is specified without a password.
  • The AUTH file contains an entry for this SNODEID/SNODE and PassTicket information is defined. The Application Profile Name is passed to the Stage 2 security exit to generate the PassTicket.
  • The PassTicket is generated using the Application Profile Name and the SNODEID userid.

A generated PassTicket is passed to the SNODE as the Security Password for the SNODEID, along with an indication that a PassTicket is being used. When the SNODE receives a session start with an indication that a PassTicket is being used, it attempts to retrieve the Application Profile Name by looking in the AUTH file for an entry for the SubmitterID/PNODE with the PassTicket information defined. The Application Profile Name and SNODEID userid are used to validate the PassTicket.

PassTickets can also be used to access HFS files.

Return Codes

The following table describes the valid return codes from the stage 2 exit for signon, Process start, or security delete.

RC Description
0 No error
8 Insufficient access authority; an SAFB008I is issued
20 Security system inactive (ACF only); an SAFB020I is issued

If none of the return codes in the previous table are returned, IBM Connect:Direct issues the message SAFB003I.

Note: If SQMSGYES is on, IBM Connect:Direct does not overlay the message ID set by the exit, and the Process ends with the message set by the exit.

The valid return codes for the data set create security call are:

RC Description
0 No error
8 Insufficient access authority; an SVSA908I ABEND is issued
12 Invalid data in SQCB; a U2250 ABEND is issued
16 No storage available for GETMAIN; a U2251 ABEND is issued
20 Security system inactive; IBM Connect:Direct performs a STOP IMMEDIATE
24 ADJ node not allowed to send (RACF100I) or receive (RACF101I) and the node executing the exit is PNODE
28 ADJ node not allowed to send (RACF100I) or receive (RACF101I) and the node executing the exit is SNODE

After control is returned from the exit to the DTF, the return code is set to 8 if the exit was run from PNODE and to 12 if the exit was run from SNODE.

If none of the return codes in the previous table are returned, IBM Connect:Direct ends abnormally with a U2252 ABEND.