How to configure PassTicket authentication from CICS

Configure PassTicket authentication from CICS® to an IBM® z/OS Connect Server.

zosConnect-3.0 Applies to zosConnect-3.0.

This task is applicable when z/OS Connect Server is used as an API requester.

About this task

To use PassTicket authentication to authenticate your CICS application with z/OS Connect Server, you must.
  • Define and update profiles in the PTKTDATA class by using your external security manager.
  • Update the z/OS Connect Server configuration to enable security.
  • Update the COBOL application to generate and supply a PassTicket.

Procedure

  1. Define a RACF profile to authorize the task user ID of the CICS COBOL application to generate PassTickets. 
    RDEFINE PTKTDATA IRRPTAUTH.applid.* UACC(NONE)
PERMIT IRRPTAUTH.applid.* CLASS(PTKTDATA) ID(user) ACCESS(UPDATE)

    Where applid is the APPLID of the CICS region where the API requester COBOL application is running and the user is the user ID associated with the task. For more information, see A launch icon to indicate a link opens a new tab or window. Setting up PassTickets.

  2. Ensure the appSecurity-2.0 feature is present in the z/OS Connect Server configuration.

    The value for profilePrefix in the safCredentials configuration element must match the ESMAPPNAME in the EXEC CICS REQUEST PASSTICKET call.

    Note: If profilePrefix is not specified in the z/OS Connect Server configuration then the value BBGZDFLT is used. For more information, see A launch icon to indicate a link opens a new tab or window. Accessing z/OS security resources.
  3. Define a RACF profile to allow the z/OS Connect Server to accept a PassTicket. 
    RDEF PTKTDATA applid SSIGNON(key-description) UACC(NONE)
    Where applid is the value in the profilePrefix attribute of the safCredentials element of the z/OS Connect Server configuration, or BBGZDFLT if it is not specified. For more information, see A launch icon to indicate a link opens a new tab or window. Setting up PassTickets.
    Note: Field level access checking is required to create and list the SSIGNON segment of a profile in the PTKTDATA class. For more information, see A launch icon to indicate a link opens a new tab or window. Field-level access checking.
  4. Update the COBOL application to generate and supply the PassTicket to the Host API BAQINIT call. 
    
       01 WS-RESP            PIC S9(8) BINARY.
       01 WS-RESP2           PIC S9(8) BINARY.
       01 WS-ESM-RETN        PIC S9(8) BINARY.
       01 WS-ESM-REAS        PIC S9(8) BINARY.
       01 CICS-USER-ID       PIC  X(8) VALUE SPACES.
       01 CICS-PASSTICKET    PIC  X(8) VALUE SPACES.
       01 ZCON-APPLID        PIC  X(8) VALUE 'BBGZDFLT'.

           EXEC CICS ASSIGN USERID(CICS-USER-ID) END-EXEC.

           EXEC CICS REQUEST PASSTICKET(CICS-PASSTICKET)
                ESMAPPNAME(ZCON-APPLID)
                ESMRESP(WS-ESM-RETN)
                ESMREASON(WS-ESM-REAS)
                RESP(WS-RESP)
                RESP2(WS-RESP2)
           END-EXEC.

           MOVE BAQZ-SERVER-USERNAME TO BAQ-ZCON-PARM-NAME OF
            BAQ-ZCON-PARMS(1).
           SET BAQ-ZCON-PARM-ADDRESS OF BAQ-ZCON-PARMS(1)
            TO ADDRESS OF CICS-USER-ID.
           MOVE LENGTH OF CICS-USER-ID TO BAQ-ZCON-PARM-LENGTH
            OF BAQ-ZCON-PARMS(1).

           MOVE BAQZ-SERVER-PASSWORD TO BAQ-ZCON-PARM-NAME OF
            BAQ-ZCON-PARMS(2).
           SET BAQ-ZCON-PARM-ADDRESS OF BAQ-ZCON-PARMS(2)
            TO ADDRESS OF CICS-PASSTICKET.
           MOVE LENGTH OF CICS-PASSTICKET TO BAQ-ZCON-PARM-LENGTH
            OF BAQ-ZCON-PARMS(2).
  
           CALL BAQ-INIT-NAME USING BY REFERENCE BAQ-ZCONNECT-AREA.
    For more information about PassTickets, see