Configuring PassTicket support for the Distributed Data Server

If the RMF Distributed Data Server (DDS) is configured to require authentication (see Setting up the Distributed Data Server for z/OS), instead of a user ID and a password, a user ID and a PassTicket can be supplied.

The PassTicket key can be defined as either a DES key for legacy PassTickets or an HMAC key for enhanced PassTickets, as described in Using PassTickets in z/OS Security Server RACF Security Administrator's Guide. IBM strongly recommends the use of enhanced PassTickets.

A PassTicket is validated against an application name. The RACF® application name of the DDS is GPMSERVE. Before creating the necessary application profile, the RACF class PTKTDATA must be activated:

SETROPTS CLASSACT(PTKTDATA)
SETROPTS RACLIST(PTKTDATA)

Define a DDS application profile with an associated encryption key:

RDEFINE PTKTDATA GPMSERVE SSIGNON(KEYLABEL(<key>))

where <key> is a user-supplied 16-digit value used to generate the PassTicket. You can specify a value of your choice. Valid characters are 0 - 9 and A - F.

The user calling the DDS must have RACF permissions in order to generate PassTickets. Define a profile in the PTKTDATA class controlling access to the PassTicket services and explicitly set the universal access authority to NONE:

RDEFINE PTKTDATA IRRPTAUTH.GPMSERVE.* UACC(NONE)

The user ID connecting to the DDS needs update permission to the newly created profile:

PERMIT IRRPTAUTH.GPMSERVE.* CLASS(PTKTDATA) ID(<user>) ACCESS(UPDATE)

where <user> is the user ID connecting to the DDS. In a CIM environment, this is the user ID associated to the CIM server started task.

Finally you must activate the changes:

SETROPTS RACLIST(PTKTDATA) REFRESH