REQUEST PASSTICKET

Description

The REQUEST PASSTICKET command requests an external security manager (ESM), such as RACF®, to build a PassTicket. The PassTicket is a password substitute that your program can use to sign on to a particular application on a particular system, such as another CICS® region. You must use the ESMAPPNAME option to specify the profile name by which the external security manager refers to the application to which you are signing on.

A PassTicket must be used within 10 minutes of being generated. If the PassTicket times out (because, for example, of a session failure), your application must generate another before attempting to sign on again. Repeated failed sign-on attempts with PassTickets can result in the user ID being revoked.

PassTickets are not displayed when the CICS execution diagnostic facility (EDF) is used.

Before using PassTickets, you must ensure that the system clocks for the target system and the originating system are synchronized to within the valid time range. You must also define a Secure Signon key for each target system. For information on the requirements for using PassTickets, see Generating and using PassTickets for secure sign-on.

Options

ESMAPPNAME(data-area)

Specifies the eight-character profile name by which the external security manager refers to the application for which the supplied PassTicket is used. For CICS regions, the profile name is the APPLID of the CICS region. If the external security manager is RACF, see Using the secured signon function in z/OS Security Server RACF Security Administrator's Guide for more information about RACF profile names and PassTickets.

ESMREASON(data-area)

Displays the ESM reason code returned for the ESM function issued. It is returned when CICS returns a NOTAUTH RESP. See the corresponding RESP2 values for details of the ESM reason code.

ESMRESP(data-area)

Displays the ESM return code returned for the ESM function issued. It is returned when CICS returns a NOTAUTH RESP. See the corresponding RESP2 values for details of the ESM return code.

PASSTICKET(data-area)

Returns the 8-character PassTicket generated by the external security manager.

Conditions

16 INVREQ

RESP2 values:

247

An invalid value has been specified for ESMAPPNAME.

251

The interface between CICS and the external security manager is not active.

252

The value returned by the external security manager in ESMRESP is not classified by CICS.

254

The external security manager does not support requests for a PassTicket.

256

This command is not valid when running under the default userid.

70 NOTAUTH

RESP2 values:

250

The external security manager does not authorize a request for a PassTicket for the combination of the user ID associated with the task that issued this command and the profile name specified in ESMAPPNAME.

If you are using RACF, see the instruction for the destination system, described in Implementing PassTickets for secure sign-on, for the RACF definitions required to generate PassTickets.

If the ESM is RACF, the return codes and reason codes are defined in the RACF secured signon PassTicket service (RCVTPTGN). See Using the RACF secured signon PassTicket service to generate a PassTicket for more information.

260

The external security manager does not authorize a request for a PassTicket for the combination of the user ID associated with the task that issued this command and the profile name specified in ESMAPPNAME.

If you are using RACF, see the instruction for the originating system, described in Implementing PassTickets for secure sign-on, for the RACF definitions required to generate PassTickets.

If the ESM is RACF, the return codes and reason codes are defined in the RACROUTE REQUEST=AUTH function. See z/OS Security Server RACROUTE Macro Reference: Return codes and reason codes for RACROUTE REQUEST=AUTH (standard form) for more information.