Generating and using PassTickets for secure sign-on

A PassTicket is a secure representation of a password that your program can use to sign on to a particular application on a particular system, such as another CICS® region. A specific PassTicket may be used for authentication once only, and it must be used within 10 minutes of being generated.

RACF®, or a functionally-equivalent external security manager that supports PassTickets, generates a PassTicket when your application issues the EXEC CICS REQUEST PASSTICKET or FEPI REQUEST PASSTICKET command. The PassTicket can be used anywhere a password can be used.

Using a PassTicket in place of a password means that applications do not have to store passwords (or ask users to re-enter them) in order to sign on to the target system, and passwords are not transmitted across the network. The end user is verified by signing on to the originating system in the normal way. No changes are required in the target system to use PassTickets, because the external security manager processes the PassTicket, so the target system can use its existing procedures to sign on the user ID.

To use PassTickets, the systems involved must meet the following requirements:
  • The back end can be a CICS region or IMS system. No changes are required in the CICS or IMS back-end systems to use PassTickets.
  • RACF, or a functionally-equivalent external security manager that supports PassTickets, must be on both systems. The PassTicket generation and validation algorithm means that the system that creates the PassTicket and the system that validates it must both use a level of the external security manager that supports PassTickets. If the originating system has the function applied, and the target system does not, the PassTicket is invalid.
  • End users must use the same user ID in the target system as the one that they use in the system where the PassTicket is requested.
  • Because PassTickets are time-stamped, the system clocks for the target system and the originating system must be synchronized to within the valid time range. A PassTicket is considered to be within the valid time range when the time of generation, with respect to the clock on the generating computer, is within plus or minus 10 minutes of the time of evaluation, with respect to the clock on the evaluating computer. For more information about system time differences and synchronization, see Using the secured signon function in z/OS Security Server RACF Security Administrator's Guide.

To process PassTickets, the external security manager uses Secure Signon keys that are shared by the originating and target systems. You must define a Secure Signon key for each target system. For information about how to do this with RACF by defining profiles in the PTKTDATA resource class, see Using the secured signon function in z/OS Security Server RACF Security Administrator's Guide. Users of other external security managers should refer to the documentation for their product.

If the XPTKT system initialization parameter is set to YES (the default value), the region and userid have to be authorized to generate a PassTicket.

To allow an originating system to generate a PassTicket, issue the following commands to define RACF profiles for users on the originating region:
RDEFINE PTKTDATA IRRPTAUTH.applid.* UACC(NONE)
PERMIT IRRPTAUTH.applid.* CLASS(PTKTDATA) ID(user) ACCESS(UPDATE)

applid is the generic applid of the originating region.

user is the user or group of users allowed to generate PassTickets on this region.

For more information about PassTickets, see z/OS Security Server RACF Security Administrator's Guide.