RACF PassTicket for IMS Connect Client connections to IMS OM

You can use RACF PassTickets as an alternative to passwords to authenticate user IDs for IMS Connect client connections to IMS Operations Manager (OM) for command requests.

PassTickets are an alternative to RACF® passwords and password phrases and provide better security because PassTickets remove the need to send passwords and password phrases across the network in clear text.

For PassTicket support, you are responsible for all definitions to RACF. You need to establish the RACF PassTicket generation routine and to supply the routine to the distributed platform. To use RACF PassTickets, specify the PassTicket in the IRM in place of the password and also specify the application name.

For IMS Connect API for Java clients, the ICON API does not generate RACF PassTickets. Clients are responsible for generating the PassTickets and setting it in the command request message by issuing the TmInteraction.setRacfPassword() method. Clients must also specify the application name by issuing TmInteraction.setRacfApplName().

The following high-level process describes how an IMS Connect client connection to IMS OM is authenticated with a RACF PassTicket:
  1. The client generates the RACF PassTicket and specifies it in the command request in the IRM_RACF_PW field. It also specifies the application name in the IRM_APPL_NM field.
  2. The client creates a connection to IMS Connect and sends the command request with the generated PassTicket, user ID and application name to IMS Connect.
  3. IMS Connect issues the RACROUTE REQUEST=VERIFY call to RACF to authenticate the user ID of the client connection. On the RACF RACROUTE REQUEST=VERIFY call, IMS Connect includes the following information:
    • The RACF PassTicket and user ID sent from the client.
    • The application name sent from the client.
    Note: The application name should be defined to the RACF PTKTDATA class. The user ID should be permitted access to this application name.

Procedure

To use a RACF PassTicket from an IMS Connect client to IMS OM, you need to define the PassTicket class, application profile, application name and user ID in RACF. Perform the following steps:

  1. Add a user ID.
    ADDUSER <authUserId> PASSWORD(<authUserIdPassword>)
    SETROPTS RACLIST(APPL PTKTDATA) REFRESH
  2. Activate the APPL and the PTKTDATA class.
    SETROPTS CLASSACT(APPL PTKTDATA)
    SETROPTS RACLIST(APPL PTKTDATA) REFRESH

    THE PTKDATA class is where all profiles that use PassTickets are defined.

  3. Define the name of the application in the APPL class that users require access to.
    RDEFINE APPL <applName> UACC(NONE)
  4. Define the application name profile in the PTKTDATA class with the specified secured signon key.

    The client uses the secured signon key to generate the PassTicket. The server uses the secured signon key to authenticate the PassTicket.

    RDEFINE PTKTDATA <applName> SSIGNON(KEYMASKED(<signonKey>))
  5. Grant the defined user read access to the application profile in the APPL class. The user ID can then be authenticated with a PassTicket.
    PERMIT <applName> CLASS(APPL) ID(<authUserId>) ACCESS(READ)
  6. Refresh the APPL class and the PTKTDATA class to activate the changes.
    SETROPTS RACLIST(APPL PTKTDATA) REFRESH
    RLIST APPL <applName> AU