Configuring PassTicket support for the Distributed Data Server

If the RMF™ Distributed Data Server (DDS) is configured to require authentication (see Setting up the Distributed Data Server for z/OS), instead of a user ID and a password, a user ID and a PassTicket can be supplied.

For more information about PassTickets, see the z/OS Security Server RACF Security Administrator's Guide (SA22-7683).

A PassTicket is validated against an application name. The RACF® application name of the DDS is GPMSERVE. Before creating the necessary application profile, the RACF class PTKTDATA must be activated:

SETROPTS CLASSACT(PTKTDATA)
SETROPTS RACLIST(PTKTDATA)
Define a DDS application profile with an associated encryption key: 
RDEFINE PTKTDATA GPMSERVE SSIGNON(KEYMASKED(<key>))
where <key> is a user-supplied 16-digit value used to generate the PassTicket. You can specify a value of your choice. Valid characters are 0 - 9 and A - F.

The user calling the DDS must have RACF permissions in order to generate PassTickets. Define a profile in the PTKTDATA class controlling access to the PassTicket services and explicitly set the universal access authority to NONE:

RDEFINE PTKTDATA IRRPTAUTH.GPMSERVE.* UACC(NONE)
The user ID connecting to the DDS needs update permission to the newly created profile: 
PERMIT IRRPTAUTH.GPMSERVE.* CLASS(PTKTDATA) ID(<user>) ACCESS(UPDATE)
where <user> is the user ID connecting to the DDS. In a CIM environment, this is the user ID associated to the CIM server started task.
Finally you must activate the changes: 
SETROPTS RACLIST(PTKTDATA) REFRESH
Parent topic: Specifying access definitions