Enabling PassTicket support for IBM Z Database Assistant

Edit online

You need to enable RACF PassTicket support for IBM Z Database Assistant. IBM Z Database Assistant uses PassTickets for user authorization.

Overview

The RACF PassTicket is a short-lived password that is generated by a requesting product or function. It is an alternative to the RACF password and password phrase that removes the need to send RACF passwords and password phrases across the network.

Important: IBM Z Database Assistant supports both enhanced and legacy PassTickets. However, it is recommended that you use only enhanced PassTickets because of improved security. For information about migrating to enhanced PassTickets on z/OS, see Migrating from legacy PassTickets to enhanced PassTickets.

Environmental scenarios

The RACF commands to be issued depend on your particular IBM Z Database Assistant setup.

The scenarios covered in this topic are:
  • Scenario 1 - the metadata Db2® and the target Db2 are on the same system.
  • Scenario 2 - the metadata Db2 and the target Db2 are on different systems that use the same RACF database.
  • Scenario 3 - the metadata Db2 and the target Db2 are on different systems that use different RACF databases.
Notes:
  • DIST_OWNER is the ID assigned to the DIST address space STARTED profile.
  • LIBERTY_OWNER is the ID assigned to the Liberty address space STARTED profile.
  • CONFIG_ID is the ID that runs the configuration script (config.sh) to deploy or migrate IBM Z Database Assistant.
  • CKDS_RECORD_LABEL is the label assigned when generating the HMAC key.

Scenario 1 - the metadata Db2 and the target Db2 are on the same data sharing group or subsystem

Issue the following RACF commands. These commands are available in sample job hlq.SAURSAMP(AURPTK1). This job must be customized and run by the security administrator.
Note: ACCESS(UPDATE) allows the generation of PassTickets. ACCESS(READ) allows the evaluation of PassTickets.

To configure enhanced PassTickets, issue the following commands:

SETROPTS CLASSACT(PTKTDATA)   
SETROPTS RACLIST(PTKTDATA)    
SETROPTS GENERIC(PTKTDATA)

RDEFINE PTKTDATA <APPLNAME> SSIGNON(EPTKEYLABEL(CKDS_RECORD_LABEL) +
 REPLAY(YES) TIMEOUT(600) TYPE(MIXED or UPPER)) UACC(NONE)
RDEFINE PTKTDATA IRRPTAUTH.<APPLNAME>.* UACC(NONE)
RDEFINE PTKTDATA IRRPTAUTH.<APPLNAME>.<CONFIG_ID> UACC(NONE)
                     
PERMIT IRRPTAUTH.<APPLNAME>.* CLASS(PTKTDATA) ID(<LIBERTY_OWNER>) ACCESS(UPDATE)
PERMIT IRRPTAUTH.<APPLNAME>.<CONFIG_ID> CLASS(PTKTDATA) ID(<CONFIG_ID>) ACCESS(UPDATE)
PERMIT IRRPTAUTH.<APPLNAME>.<CONFIG_ID> CLASS(PTKTDATA) ID(<LIBERTY_OWNER>>) ACCESS(UPDATE)
PERMIT IRRPTAUTH.<APPLNAME>.* CLASS(PTKTDATA) ID(<DIST_OWNER>) ACCESS(READ)

SETROPTS RACLIST(PTKTDATA) REFRESH

Scenario 2 - the metadata Db2 and the target Db2 are on different subsystems or data sharing groups that use the same RACF database

Issue the following commands. These commands are available in sample job hlq.SAURSAMP(AURPTK2). This job must be customized and run by the security administrator.
Note: ACCESS(UPDATE) allows the generation of PassTickets. ACCESS(READ) allows the evaluation of PassTickets.

To configure enhanced PassTickets, issue the following commands:

SETROPTS CLASSACT(PTKTDATA)   
SETROPTS RACLIST(PTKTDATA)    
SETROPTS GENERIC(PTKTDATA)

RDEFINE PTKTDATA <METADATA_APPLNAME> SSIGNON(EPTKEYLABEL(CKDS_RECORD_LABEL_METADATA) +
 REPLAY(YES) TIMEOUT(600) TYPE(MIXED or UPPER)) UACC(NONE)
RDEFINE PTKTDATA IRRPTAUTH.<METADATA_APPLNAME>.* UACC(NONE)
RDEFINE PTKTDATA IRRPTAUTH.<METADATA_APPLNAME>.<CONFIG_ID> UACC(NONE)
                       
PERMIT IRRPTAUTH.<METADATA_APPLNAME>.* CLASS(PTKTDATA) ID(<LIBERTY_OWNER>) ACCESS(UPDATE)
PERMIT IRRPTAUTH.<METADATA_APPLNAME>.<CONFIG_ID> CLASS(PTKTDATA) ID(<CONFIG_ID>) ACCESS(UPDATE)
PERMIT IRRPTAUTH.<METADATA_APPLNAME>.<CONFIG_ID> CLASS(PTKTDATA) ID(<LIBERTY_OWNER>>) ACCESS(UPDATE)
PERMIT IRRPTAUTH.<METADATA_APPLNAME>.* CLASS(PTKTDATA) ID(<DIST_OWNER_METADATA>) ACCESS(READ)

RDEFINE PTKTDATA <TARGET_APPLNAME> SSIGNON(EPTKEYLABEL(CKDS_RECORD_LABEL_TARGET) +
 REPLAY(YES) TIMEOUT(600) TYPE(MIXED or UPPER)) UACC(NONE)                         
RDEFINE PTKTDATA IRRPTAUTH.<TARGET_APPLNAME>.* UACC(NONE)    
PERMIT IRRPTAUTH.<TARGET_APPLNAME>.* CLASS(PTKTDATA) ID(LIBERTY_OWNER) ACCESS(UPDATE)
PERMIT IRRPTAUTH.<TARGET_APPLNAME>.* CLASS(PTKTDATA) ID(<DIST_OWNER_TARGET>) ACCESS(READ)

SETROPTS RACLIST(PTKTDATA) REFRESH

Scenario 3 - the metadata Db2 and the target Db2 are on different subsystems or data sharing groups that use different RACF databases

Issue the following commands. These commands are available in sample jobs hlq.SAURSAMP(AURPTK3M) for the metadata Db2 and hlq.SAURSAMP(AURPTK3T) for the target Db2. These jobs must be customized and run by the security administrator.
Note: If PassTickets have already been configured for your Db2 system(s), verify that the HMAC labels that CKDS_RECORD_LABEL in the sample RACF commands below represents match your existing configuration. See Enabling Db2 to receive RACF PassTickets.
  • These are the RACF commands for the metadata Db2 system.
    Note: ACCESS(UPDATE) allows the generation of PassTickets. 
    SETROPTS CLASSACT(PTKTDATA)   
SETROPTS RACLIST(PTKTDATA)    
SETROPTS GENERIC(PTKTDATA)

RDEFINE PTKTDATA <METADATA_APPLNAME> SSIGNON(EPTKEYLABEL(CKDS_RECORD_LABEL_METADATA) +
 REPLAY(YES) TIMEOUT(600) TYPE(MIXED or UPPER)) UACC(NONE)
RDEFINE PTKTDATA IRRPTAUTH.<METADATA_APPLNAME>.* UACC(NONE)
RDEFINE PTKTDATA IRRPTAUTH.<METADATA_APPLNAME>.<CONFIG_ID> UACC(NONE)
                      
PERMIT IRRPTAUTH.<METADATA_APPLNAME>.* CLASS(PTKTDATA) ID(<LIBERTY_OWNER>) ACCESS(UPDATE)
PERMIT IRRPTAUTH.<METADATA_APPLNAME>.<CONFIG_ID> CLASS(PTKTDATA) ID(<CONFIG_ID>) ACCESS(UPDATE)
PERMIT IRRPTAUTH.<METADATA_APPLNAME>.<CONFIG_ID> CLASS(PTKTDATA) ID(<LIBERTY_OWNER>>) ACCESS(UPDATE)
PERMIT IRRPTAUTH.<METADATA_APPLNAME>.* CLASS(PTKTDATA) ID(<DIST_OWNER_METADATA>) ACCESS(READ)

RDEFINE PTKTDATA <TARGET_APPLNAME> SSIGNON(EPTKEYLABEL(CKDS_RECORD_LABEL_TARGET) +
 REPLAY(YES) TIMEOUT(600) TYPE(MIXED or UPPER)) UACC(NONE)
RDEFINE PTKTDATA IRRPTAUTH.<TARGET_APPLNAME>.* UACC(NONE)                     
PERMIT IRRPTAUTH.<TARGET_APPLNAME>.* CLASS(PTKTDATA) ID(<LIBERTY_OWNER>) ACCESS(UPDATE)

SETROPTS RACLIST(PTKTDATA) REFRESH
  • These are the RACF commands for the target Db2 system.
    Note: ACCESS(READ) allows the evaluation of PassTickets.
    SETROPTS CLASSACT(PTKTDATA)                                          
SETROPTS RACLIST(PTKTDATA)                                           
SETROPTS GENERIC(PTKTDATA)                   

RDEFINE PTKTDATA <TARGET_APPLNAME> SSIGNON(EPTKEYLABEL(CKDS_RECORD_LABEL_TARGET) +
 REPLAY(YES) TIMEOUT(600) TYPE(MIXED or UPPER)) UACC(NONE)                         
RDEFINE PTKTDATA IRRPTAUTH.<TARGET_APPLNAME>.* UACC(NONE)                      
PERMIT IRRPTAUTH.<TARGET_APPLNAME>.* CLASS(PTKTDATA) ID(<DIST_OWNER_TARGET>) ACCESS(READ) 

SETROPTS RACLIST(PTKTDATA) REFRESH