Enabling Db2 to receive RACF PassTickets

Db2 supports the ability to receive RACF® PassTickets from remote requests.

About this task

This task describes how to enable basic capability for Db2 to receive RACF PassTickets. If you are using PassTickets with RACF protected user IDs or by using PassTickets across a data sharing group, additional setup is required.

Procedure

To enable a Db2 subsystem or data sharing group to receive PassTickets:

Activate the RACF PTKTDATA class by issuing the following RACF commands:
```
SETROPTS CLASSACT(PTKTDATA)
SETROPTS RACLIST(PTKTDATA)
```
Define a PTKTDATA profile with a secured signon application key mask for all Db2 systems that will receive PassTickets from this requesting Db2 subsystem or data sharing group by issuing the following RACF command:
```
RDEFINE PTKTDATA applname SSIGNON(KEYMASKED(key-description)) 
APPLDATA('NO REPLAY PROTECTION')
```
Where:
- applname is either the LUNAME or the IPNAME of a stand-alone Db2 subsystem or the GENERICLU or the IPNAME assigned to each member of a Db2 data sharing group. This value must match the system name as it appears in the LINKNAME column of the SYSIBM.LOCATIONS table of a requesting Db2 subsystem or data sharing group.
- key-description is the secured signon application key.
- The APPLDATA('NO REPLAY PROTECTION') parameter is required if PassTickets of any PTKTDATA profile are generated faster than one per second.
This profile must be available to both the Db2 subsystem or to each member of a data sharing group that sends the PassTicket and the Db2 subsystem or data sharing group that receives that PassTicket, and both instances of this profile must match.

For more information about secured signon PTKTDATA profiles, see the RACF topic Defining profiles in the PTKTDATA class.
Refresh the RACF PTKTDATA definition with the new profiles by issuing the following command:
```
SETROPTS RACLIST(PTKTDATA) REFRESH
```

Example

The following example shows the RACF commands that define a secured signon PTKTDATA profile for SYEC1GLU and that enable the new PTKTDATA profile:

RDEFINE PTKTDATA SYEC1GLU SSIGNON(KEYMASKED(F0123456789ABCDE)) 
APPLDATA('NO REPLAY PROTECTION') SETROPTS RACLIST(PTKTDATA) REFRESH

What to do next

To send RACF PassTickets from a Db2 subsystem or data sharing group, complete the steps in Enabling Db2 to send RACF PassTickets.
If you are using PassTickets across a data sharing environment, complete the steps in Enabling caching of MFA-based authentication credentials for clients with sysplex workload balancing.
If you are using RACF protected user IDs, complete the steps in Enabling Db2 to receive RACF PassTickets for authenticating protected user IDs (deprecated)¹.

Notes:

Receiving RACF PassTickets for authentication of RACF protected user IDs is deprecated. This deprecation does not apply to RACF PassTickets in general or any other use for them in Db2 for z/OS®.