How RACF processes the password or PassTicket

To validate a password or PassTicket, RACF® does the following:

Determines whether the value in the password field is the RACF password for the user ID.
- If it is the RACF password, the validation is complete.
- If it is not the RACF password, processing continues.
Determines whether a secured signon application profile has been defined for the application in the PTKTDATA class.
- If a profile has not been defined, the user receives a message from the application¹ indicating that the password is not valid.
- If the application is defined in the PTKTDATA class, processing continues.
Evaluates the value entered in the password field. The evaluation determines whether:
- The value is a PassTicket consistent with this user ID, application, and time range.
- It has been used previously on this computer system for this user ID, application, and time range.
Time Considerations:
- A PassTicket is considered to be within the valid time range when the time of generation, with respect to the clock on the generating computer, is within plus or minus 10 minutes of the time of evaluation, with respect to the clock on the evaluating computer.
- Be sure that your MVS™ system and the evaluating computer use clock values that are within that time range. RACF uses the value stored for coordinated universal time (UTC), formerly called Greenwich mean time (GMT), in the algorithms that process PassTickets.
- One way to ensure that reasonably synchronized values are used is to set UTC in the GMT value of the MVS time of day (TOD) clock and to set a similar value in each of the other systems with which RACF shares PassTicket information. You can still use the MVS local time for local timestamp information, and resetting the local time does not affect the GMT value kept in the TOD clock.
  Important: Before setting the TOD clock's GMT value to UTC, make sure that the subsystems and applications you use are not affected.
- To be sure the MVS system clock is set properly, the system console operator should issue:
```
DISPLAY T
```
- The system displays the time with information similar to the following:
```
IEE136I LOCAL: TIME=14.06.18 DATE=1997.309
          GMT: TIME=19.06.18 DATE=1997.309
```
  Important: If the MVS DISPLAY T command indicates that your system clock is not set correctly for GMT, you need to analyze the consequences of resetting the clock. It is possible that other programs that execute on the system have been adjusted to tolerate an incorrect GMT setting. You might need to readjust those programs before resetting the system clock.
- See z/OS MVS Initialization and Tuning Reference and z/OS MVS System Commands for more information on setting clocks. See z/OS Security Server RACF Macros and Interfaces for more information on the algorithms.
- If the value was used before, and if PassTicket replay protection has not been bypassed, the user receives a message from the application² indicating that the password is not valid.
- If the value was not used before, the PassTicket is considered valid and processing continues.
Determines whether the value is a valid PassTicket.
- If the PassTicket is valid, RACF gives the user access to the desired application.
- If the value is not valid, the host application sends a message³ to the user indicating that the password is not valid.

Note: If the secured signon application key is encrypted, the cryptographic product must be active when RACF tries to authenticate the PassTicket. If it is not active, RACF cannot validate the PassTicket. The resulting message indicates that the logon attempt failed.