How to configure PassTicket authentication from CICS

Configure PassTicket authentication from CICS® to a z/OS® Connect server.

This task is applicable when IBM® z/OS Connect server is used as an API requester.

About this task

To use PassTicket authentication to authenticate your CICS application with IBM z/OS Connect server, you must.
  • Define and update profiles in the PTKTDATA class by using your external security manager.
  • Update the IBM z/OS Connect server configuration to enable security.
  • Update the COBOL application to generate and supply a PassTicket.

Procedure

  1. Define a RACF profile to authorize the task user ID of the CICS COBOL application to generate PassTickets. 
    RDEFINE PTKTDATA IRRPTAUTH.applid.* UACC(NONE)
PERMIT IRRPTAUTH.applid.* CLASS(PTKTDATA) ID(user) ACCESS(UPDATE)

    Where applid is the APPLID of the CICS region where the API requester COBOL application is running and user is the user ID associated with the task. For more information, see Setting up PassTickets.

  2. Ensure the appSecurity-2.0 feature is present in the IBM z/OS Connect server configuration.

    The value for profilePrefix in the safCredentials configuration element must match the ESMAPPNAME in the EXEC CICS REQUEST PASSTICKET call.

    Note: If profilePrefix is not specified in the IBM z/OS Connect server configuration then the value BBGZDFLT is used. For more information, see Accessing z/OS security resources.
  3. Define a RACF profile to allow the IBM z/OS Connect server to accept a PassTicket. 
    RDEF PTKTDATA applid SSIGNON(key-description) UACC(NONE)
    Where applid is the value in the profilePrefix attribute of the safCredentials element of the IBM z/OS Connect server configuration, or BBGZDFLT if it is not specified. For more information, see Setting up PassTickets .
    Note: Field level access checking is required to create and list the SSIGNON segment of a profile in the PTKTDATA class. For more information, see Field level access checking.
  4. Update the COBOL application to generate and supply the PassTicket to the Host API BAQINIT call. 
    
       01 WS-RESP            PIC S9(8) BINARY.
       01 WS-RESP2           PIC S9(8) BINARY.
       01 WS-ESM-RETN        PIC S9(8) BINARY.
       01 WS-ESM-REAS        PIC S9(8) BINARY.
       01 CICS-USER-ID       PIC  X(8) VALUE SPACES.
       01 CICS-PASSTICKET    PIC  X(8) VALUE SPACES.
       01 ZCON-APPLID        PIC  X(8) VALUE 'BBGZDFLT'.

           EXEC CICS ASSIGN USERID(CICS-USER-ID) END-EXEC.

           EXEC CICS REQUEST PASSTICKET(CICS-PASSTICKET)
                ESMAPPNAME(ZCON-APPLID)
                ESMRESP(WS-ESM-RETN)
                ESMREASON(WS-ESM-REAS)
                RESP(WS-RESP)
                RESP2(WS-RESP2)
           END-EXEC.

           MOVE BAQZ-SERVER-USERNAME TO BAQ-ZCON-PARM-NAME OF
            BAQ-ZCON-PARMS(1).
           SET BAQ-ZCON-PARM-ADDRESS OF BAQ-ZCON-PARMS(1)
            TO ADDRESS OF CICS-USER-ID.
           MOVE LENGTH OF CICS-USER-ID TO BAQ-ZCON-PARM-LENGTH
            OF BAQ-ZCON-PARMS(1).

           MOVE BAQZ-SERVER-PASSWORD TO BAQ-ZCON-PARM-NAME OF
            BAQ-ZCON-PARMS(2).
           SET BAQ-ZCON-PARM-ADDRESS OF BAQ-ZCON-PARMS(2)
            TO ADDRESS OF CICS-PASSTICKET.
           MOVE LENGTH OF CICS-PASSTICKET TO BAQ-ZCON-PARM-LENGTH
            OF BAQ-ZCON-PARMS(2).
  
           CALL BAQ-INIT-NAME USING BY REFERENCE BAQ-ZCONNECT-AREA.
    For more information about PassTickets, see