Enabling the RACF secured signon function

Enabling the secured signon function requires a series of coordinated RACF® commands.

To enable the function, a RACF administrator must complete the following steps:
  1. Activate the PTKTDATA class (if not already activated). For example: 
    SETROPTS CLASSACT(PTKTDATA)
SETROPTS RACLIST(PTKTDATA)

    The PassTicket key class enables the security administrator to associate a RACF secured signon secret key with a particular mainframe application that uses RACF for user authentication. All profiles that contain PassTicket information are defined to the PTKTDATA class.

  2. Define a profile in the PTKTDATA class for the Distributed Data Server (GPMSERVE).
    The name of the profile must be the name of the DDS application. For example, 
    RDEF PTKTDATA GPMSERVE SSIGNON([KEYENCRYPTED|KEYMASKED](key))
    The profile associates a secret secured signon application key with a particular application on a particular system. The key is a 16-digit hexadecimal user-supplied value.
    Note: The default application name for PassTicket generation is GPMSERVE. If the RACF user exit ICHRIX01 redefines this name, the OMEGMONclient must use the ID provided by the user exit. If you need to use an alternative name, contact IBM® Software Support.
  3. Create a RACF profile for PassTicket generation.

    This determines who can create PassTickets for GPMSERVE.

    RDEF PTKTDATA IRRPTAUTH.GPMSERVE.* UACC(NONE)
  4. Authorize monitoring server and OMEGAMON Subsystem address spaces to use PassTicket services
    Use of R_ticketserv service to use PassTicket services (function code 3) is authorized by the resources in the PTKTDATA class that correspond to the application ID and target userid used in the PassTicket operation. The application server must be running with a RACF user or group that has the following authority specified: 
    PERMIT IRRPTAUTH.GPMSERVE.* ID(STCUSER) ACCESS(UPDATE)  CLASS(PTKTDATA)
    where STCUSER is the group ID used for the monitoring server and OMEGAMON Subsystem address spaces. 
     SETR RACLIST(PTKTDATA) REFRESH
    Note: If PassTicket authentication is used, the user ID for the monitoring server and OMEGAMON Subsystem address space cannot be defined as PROTECTED. Using PassTicket authentication is the equivalent to using a password, and a PROTECTED RACF user ID can not have a password specified in its definition.
    Note: KEYENCRYPTED requires that the CSNBENC module reside in the link pack area (LPA) if not already there. The CSNBENC module can be dynamically loaded, or added to PLPA or MLPA with the respective PARMLIB members. The following modules must reside in APF-authorized link-listed data sets: CSNBCKI, CSNBKRC, CSNBKRD, CSNBKRW.

Tip

Depending on your RACF options, the user ID of the person who enters the RDEF command might also be on the access list for IRRPTAUTH.GPMSERVE.*. You can check to see whether the ID is included by issuing the following command and then checking the access list: 
RLIST PTKTDATA IRRPTAUTH.GPMSERVE.*
To delete an unwanted user ID, issue the following command: 
PERMIT IRRPTAUTH.GPMSERVE.* id(userid) DELETE class(PTKTDATA)
Note: You can choose to bypass user ID and password authentication for all or selected users through initialization parameters. See the RMF documentation for a discussion of HTTP_NOAUTH.