The RACF PassTicket
The RACF® PassTicket is a one-time-only password that is generated by a requesting product or function. It is an alternative to the RACF password that removes the need to send RACF passwords across the network in clear text. It makes it possible to move the authentication of a mainframe application user ID from RACF to another authorized function executing on the host system or to the work station local area network (LAN) environment.
- Generating a PassTicket.
- Evaluating a PassTicket.
- The legacy PassTicket algorithm
- The enhanced PassTicket algorithm
The legacy PassTicket algorithm is the original PassTicket implementation and uses a DES secret key. The enhanced PassTicket algorithm is an updated version of the PassTicket algorithm and uses an HMAC secret key. RACF supports generation and evaluation of PassTickets with either the legacy PassTicket algorithm or the enhanced PassTicket algorithm based on system configuration. IBM® highly recommends using the enhanced PassTicket algorithm as it provides the same capabilities as the legacy PassTicket algorithm but also provides increased security.
For more information on configuring PassTickets, see “The RACF PassTicket” in the z/OS® Security Server RACF Security Administrator's Guide