Defining profiles in the PTKTDATA class

For each application that users can gain access to with the PassTicket, you must create at least one profile in the PTKTDATA class. The profile associates a PassTicket key with a particular application on a particular system. The profiles can be created so they apply to:

• All users
• Users who belong to a specific RACF® group
• A specific RACF user, when connected to a specific RACF group
• A specific RACF user

To define the profile, use the RDEFINE command:

RDEFINE PTKTDATA profile-name SSIGNON(key-description) UACC(NONE)

where:

PTKTDATA

specifies the PassTicket key class.

profile-name

is the name of the profile (see Determining PTKTDATA profile names).

For the PTKTDATA class, the profile must be a discrete profile. Because each application must be uniquely defined, you cannot specify a generic profile in the PTKTDATA class. If you specify a generic profile, it is ignored during PassTicket processing for the application, and PassTickets cannot be used to authenticate users for that application.

key-description

defines the PassTicket keys and related configuration settings.

For legacy PassTickets:

• A subset of these keywords specify the method RACF is to use to protect the legacy PassTicket key in the RACF database on the host. You can specify either masking or encryption for the method (see Protecting PassTicket keys).
• legacy PassTicket keys are 64-bit Data Encryption Standard (DES) keys. With DES, eight of the 64 bits are reserved for use as parity bits, so those eight bits are not part of the 56-bit key. In hexadecimal notation, the DES parity bits are: X'0101 0101 0101 0101'. Any two 64-bit keys are equivalent DES keys if their only difference is in one or more of these parity bits.

For enhanced PassTickets:

• A subset of these keywords identify the enhanced PassTicket keys and related configuration settings to be used to generate and evaluate an enhanced PassTicket. enhanced PassTicket keys are 256-2048 bit HMAC keys.