The
Content Manager OnDemand unified
login exit (ARS.PTGN) enables a user to run the
Content Manager OnDemand command line utilities (such
as ARSLOAD) without specifying a user ID and password. This facility
to log on without specifying a password uses the ability to specify
a PassTicket as a password when using a RACROUTE REQUEST=VERIFY call.
The following figure shows an overview of the unified login exit.
Figure 1. Overview of the unified login exit
The unified login exit is implemented as follows:
- When a user runs a command line utility, if the login exit is enabled and the user does not
specify a Content Manager OnDemand user ID and password, the current user ID that
is returned by UNIX System Services (USS) is used to logon to
Content Manager OnDemand.
- Because the function to generate a PassTicket is not a part of
the SAF interface, Content Manager OnDemand implements
the call to generate the PassTicket as an MVS™ dynamic
exit. The dynamic exit facility calls the ARS.PTGN login exit routine. Content Manager OnDemand provides a sample exit,
ARSPTGN.
- The ARSPTGN sample exit generates a PassTicket in the RACF® environment and returns the
PassTicket to the command line utility. Installations that use another
external security product need to evaluate the supplied exit and possibly
modify the exit for their environment.
- The utility sends the PassTicket to the server when the utility
attempts to logon to Content Manager OnDemand.
- The PassTicket is used by the Content Manager OnDemand server
to do a SAF RACROUTE REQUEST=VERIFY call from RACF for the user ID. The result
that is returned from the SAF call is used to determine whether the
user is allowed access to the system. If the SAF call succeeds, the
user is logged on to the Content Manager OnDemand server
and the required function is performed. If the SAF call fails, the
user is prompted for a user ID and password.
Tip: To enable PassTickets in a security manager such
as RACF, you must do the following
steps:
- Activate the PKTDATA class.
- Define a secured sign-on application key for each application.
- Issue the SETROPTS RACLIST(PTKTDATA) command.