Using RACF PassTickets

A RACF® PassTicket is a one-time-only password that is generated by a requesting product or function. The PassTicket is an alternative to the RACF password and removes the need to send RACF passwords across the network in clear text.

PassTickets also make it possible to move the authentication of a mainframe application user ID from RACF to one of these alternatives:

• Another authorized function executing on the host system
• The workstation local area network (LAN) environment

PassTickets are resistant to reuse because they only give one user access to a specific application for approximately 10 minutes. For most applications, once a particular PassTicket is used, the same user cannot use it again for the same application during the same 10-minute interval.

When a/SIGN ON command is received by IMS that contains a PassTicket instead of a password, the signon process fails, unless the PassTicket was created using the IMSID as the application name (name of the PTKTDATA profile). Because the IMSID may not be known to other systems that might enter the signon command, flexibility is provided to allow for the use of other names as application names when creating PassTickets. The keyword APPL in the /SIGN ON command allows the end-user or program to specify another name (such as the IMS VTAM® application name) rather than the IMSID when creating the PassTicket.

In a VTAM generic resource (VGR) environment, the remote end-user does not know which IMS will be chosen for the connection. The DFSDCxxx PROCLIB member provides a system-wide default application name (replacing IMSID) for all the IMS systems in a generic group. With the use of this replacement name for the application name, the creator of the PassTicket does not have to know which IMS system will be the recipient of the IMS terminal session.