To validate a password or PassTicket, RACF® does the following:
- Determines whether the value in the password field is the RACF password for the user ID.
- If it is the RACF password,
the validation is complete.
- If it is not the RACF password,
processing continues.
- Determines whether a secured signon application profile has been
defined for the application in the PTKTDATA class.
- If a profile has not been defined, the user receives a message
from the application1 indicating
that the password is not valid.
- If the application is defined in the PTKTDATA class, processing
continues.
- Evaluates the value entered in the password field. The evaluation
determines whether:
- The value is a PassTicket consistent with this user ID, application,
and time range.
- It has been used previously on this computer system for this user
ID, application, and time range.
Time Considerations:
- To be sure the MVS system
clock is set properly, the system console operator should issue:
DISPLAY T
- The system displays the time with information similar to the following:
IEE136I LOCAL: TIME=14.06.18 DATE=1997.309
GMT: TIME=19.06.18 DATE=1997.309
Important: If the MVS DISPLAY
T command indicates that your system clock is not set correctly
for GMT, you need to analyze the consequences of resetting the clock.
It is possible that other programs that execute on the system have
been adjusted to tolerate an incorrect GMT setting. You might need
to readjust those programs before resetting the system clock.
- See z/OS MVS Initialization and Tuning Reference and z/OS MVS System Commands for
more information on setting clocks. See z/OS Security Server RACF Macros and Interfaces for
more information on the algorithms.
- If the value was used before, and if PassTicket replay protection
has not been bypassed, the user receives a message from the application2 indicating that the password is not
valid.
- If the value was not used before, the PassTicket is considered
valid and processing continues.
Determines whether the value is a valid PassTicket.
- If the PassTicket is valid, RACF gives
the user access to the desired application.
- If the value is not valid, the host application sends a message3 to the user indicating that the password
is not valid.
Note: If the secured signon application key is encrypted, the cryptographic
product must be active when RACF tries
to authenticate the PassTicket. If it is not active, RACF cannot validate the PassTicket. The resulting
message indicates that the logon attempt failed.