ISPF PassTicket support

PassTickets establish thread security within the ISPF daemon.

Client passwords are only used to verify identities during connections. Afterwards, PassTickets are used to maintain thread security. PassTickets are system generated passwords with a lifespan of about 10 minutes. The generated PassTickets are based on a secret key. This key is a 64-bit number (16 hex characters). Replace the key16 placeholder with a user-supplied 16 character hex string (characters 0-9 and A-F) in the following sample RACF commands.
  • RDEFINE PTKTDATA BLZAPPL UACC(NONE) SSIGNON(KEYMASKED(key16)) 
    APPLDATA('NO REPLAY PROTECTION – DO NOT CHANGE') 
    DATA('EWM')
    The following example shows the command with the key16 value replaced:
    RDEFINE PTKTDATA BLZAPPL UACC(NONE) - 
    DATA('EWM') - 
    APPLDATA('NO REPLAY PROTECTION - DO NOT CHANGE') - 
    SSIGNON(KEYMASKED(0123456789ABCDEF))
  • SETROPTS RACLIST(PTKTDATA) REFRESH
Notes:
  1. If the PTKTDATA class is already defined, verify that it is defined as a generic class before creating the profiles listed previously.
  2. If the system has a cryptographic product installed and available, you can encrypt the secured signon application key for added protection. Use the KEYENCRYPTED keyword instead of KEYMASKED. Refer to Security Server RACF Security Administrator's Guide, (SA22-7683), for more information.
  3. If you want to use an application ID other than BLZAPPL, change BLZAPPL to an application ID that meets your needs. Ensure that you change the definition in the APPL class shown in Application protection for the ISPF daemon. Also, ensure that you set the _ISPF_DAEMON_APPLID property in the ispfdmn.conf file to the changed value before you start the ISPF daemon. See ISPF daemon configuration file (ispfdmn.conf) for details.
A profile in the FACILITY class is provided to define who can generate PassTickets. This profile must exist or PassTicket generation fails. The user ID requesting a PassTicket must have read access to this profile. Use the following sample RACF commands to create a profile:
  • RDEFINE FACILITY BLZ.CONNECT.BLZAPPL UACC(NONE) - 
    DATA('EWM') –
  • PERMIT BLZ.CONNECT.BLZAPPL CLASS(FACILITY) ACCESS(READ) ID(JAZZWORK)
  • SETROPTS RACLIST(FACILITY) REFRESH
Notes:
  1. This profile uses the application ID as the last part of the profile. It must match the application ID being used to generate the PassTicket. If the application ID is set to a different value, this profile must be set up using the changed application ID.
  2. Following normal System Authorization Facility (SAF) rules, a generic profile can cover all application IDs on a system. For example : BLZ.CONNECT.*.
  3. All users of the ISPF daemon need to have READ access to this profile. You can provide access by adding a PERMIT for the specific user, a PERMIT for a group that the user is in, or by specifying UACC=READ on the profile so that all users can generate PassTickets.

After logon, PassTickets are used to establish thread security within the ISPF daemon. This feature cannot be disabled. PassTickets are system-generated passwords with a lifespan of about 10 minutes. The generated PassTickets are based upon the DES encryption algorithm, the user ID, the application ID, a time and date stamp, and a secret key. This secret key is a 64-bit number (16 hex characters) that must be defined to your security software.

To help you understand PassTicket usage, a brief description of the ISPF daemon's security process follows:
  1. The ISPF client connects to ISPF daemon port 4152.
  2. The ISPF daemon authenticates the client, using the credentials presented by the client.
  3. The ISPF daemon creates a unique client ID and an ISPF server thread.
  4. The ISPF daemon generates a PassTicket and creates a security environment for the client, using the PassTicket as the password.
  5. The ISPF daemon validates the client using the client ID.
  6. The ISPF daemon uses a newly generated PassTicket as the password for all future actions requiring a password.

The actual password of the client is no longer needed after initial authentication because SAF-compliant security products can evaluate both PassTickets and regular passwords. The ISPF daemon generates and uses a PassTicket each time a password is required, resulting in a (temporary) valid password for the client.

Using PassTickets allows the ISPF daemon to set up a user-specific security environment, without the need of storing all user IDs and passwords in a table, which could be compromised. Using PassTickets also allows for client authentication methods that do not use reusable passwords, such as X.509 certificates.

Security profiles in the APPL and PTKTDATA classes are required to use PassTickets. These profiles are application specific and do not impact your current system setup.

PassTickets being application specific implies that the ISPF daemon must use a unique application ID (APPLID). By default, the ISPF daemon uses BLZAPPL as the APPLID.
Attention: The client connection request fails if PassTickets are not set up correctly.