Generating and evaluating a PassTicket
A product or function that generates a PassTicket must use
the RACF® legacy PassTicket generator algorithm or enhanced
PassTicket generation algorithm. These algorithms require specific information as input data and
produces a PassTicket that substitutes for a specific end-user RACF password. RACF uses the
PassTicket to authenticate the end-user for a specific application running on a specific system that
uses RACF for identification and authentication.
There are four ways to generate and
evaluate a PassTicket using the legacy PassTicket algorithm or enhanced PassTicket
algorithm:
- If the function using PassTickets
is running on a z/OS® system, you can use the RACF
PassTicket-generation service (RCVTPTGN) to generate the PassTicket.
The algorithm is already incorporated into the service and allows RACF to generate a PassTicket on the host. An authorized program, such as one authorized by
the authorized program facility (APF), can use the service to generate PassTickets. See Using the RCVTPTGN service to generate a PassTicket for more information.
- For any function that generates a PassTicket, you can create a program that incorporates the algorithm. See Incorporating the PassTicket generator algorithm into your program for more information.
- You can use the R_ticketserv and R_GenSec callable
services. This interface supports problem state callers, and both 31-bit and 64-bit callers. For
more information about these callable services, see R_ticketserv (IRRSPK00): Parse or extract
and R_GenSec (IRRSGS00 or IRRSGS64): Generic security API interface in z/OS Security Server RACF Callable Services.
- Java™ code can use a Java interface that uses a Java Native Interface (JNI) and calls the R_ticketserv and R_GenSec callable services. For information about this interface, see the JavaDoc shipped in the IRRRacfDoc.jar file, which is installed into the directory /usr/include/java_classes. Download the jar file to a workstation, un-jar it, and read it with a Web browser.