ISPF PassTicket support
PassTickets establish thread security within the ISPF daemon.
The following example shows the command with the key16 value replaced:RDEFINE PTKTDATA BLZAPPL UACC(NONE) SSIGNON(KEYMASKED(key16)) APPLDATA('NO REPLAY PROTECTION – DO NOT CHANGE') DATA('EWM')
RDEFINE PTKTDATA BLZAPPL UACC(NONE) - DATA('EWM') - APPLDATA('NO REPLAY PROTECTION - DO NOT CHANGE') - SSIGNON(KEYMASKED(0123456789ABCDEF))
-
SETROPTS RACLIST(PTKTDATA) REFRESH
- If the PTKTDATA class is already defined, verify that it is defined as a generic class before creating the profiles listed previously.
- If the system has a cryptographic product installed and available, you can encrypt the secured signon application key for added protection. Use the KEYENCRYPTED keyword instead of KEYMASKED. Refer to Security Server RACF Security Administrator's Guide, (SA22-7683), for more information.
- If you want to use an application ID other than BLZAPPL, change BLZAPPL to an application ID that meets your needs. Ensure that you change the definition in the APPL class shown in Application protection for the ISPF daemon. Also, ensure that you set the _ISPF_DAEMON_APPLID property in the ispfdmn.conf file to the changed value before you start the ISPF daemon. See ISPF daemon configuration file (ispfdmn.conf) for details.
-
RDEFINE FACILITY BLZ.CONNECT.BLZAPPL UACC(NONE) - DATA('EWM') –
-
PERMIT BLZ.CONNECT.BLZAPPL CLASS(FACILITY) ACCESS(READ) ID(JAZZWORK)
-
SETROPTS RACLIST(FACILITY) REFRESH
- This profile uses the application ID as the last part of the profile. It must match the application ID being used to generate the PassTicket. If the application ID is set to a different value, this profile must be set up using the changed application ID.
- Following normal System Authorization Facility (SAF) rules, a generic profile can cover all application IDs on a system. For example : BLZ.CONNECT.*.
- All users of the ISPF daemon need to have READ access to this profile. You can provide access by adding a PERMIT for the specific user, a PERMIT for a group that the user is in, or by specifying UACC=READ on the profile so that all users can generate PassTickets.
After logon, PassTickets are used to establish thread security within the ISPF daemon. This feature cannot be disabled. PassTickets are system-generated passwords with a lifespan of about 10 minutes. The generated PassTickets are based upon the DES encryption algorithm, the user ID, the application ID, a time and date stamp, and a secret key. This secret key is a 64-bit number (16 hex characters) that must be defined to your security software.
- The ISPF client connects to ISPF daemon port 4152.
- The ISPF daemon authenticates the client, using the credentials presented by the client.
- The ISPF daemon creates a unique client ID and an ISPF server thread.
- The ISPF daemon generates a PassTicket and creates a security environment for the client, using the PassTicket as the password.
- The ISPF daemon validates the client using the client ID.
- The ISPF daemon uses a newly generated PassTicket as the password for all future actions requiring a password.
The actual password of the client is no longer needed after initial authentication because SAF-compliant security products can evaluate both PassTickets and regular passwords. The ISPF daemon generates and uses a PassTicket each time a password is required, resulting in a (temporary) valid password for the client.
Using PassTickets allows the ISPF daemon to set up a user-specific security environment, without the need of storing all user IDs and passwords in a table, which could be compromised. Using PassTickets also allows for client authentication methods that do not use reusable passwords, such as X.509 certificates.
Security profiles in the APPL and PTKTDATA classes are required to use PassTickets. These profiles are application specific and do not impact your current system setup.