z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Defining profiles in the PTKTDATA class

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

For each application that users can gain access to with the PassTicket, you must create at least one profile in the PTKTDATA class. The profile associates a secret secured signon application key with a particular application on a particular system. The profiles can be created so they apply to:
  • All users who need access to the application
  • A specific RACF® group of users who need access to the application
  • A specific RACF user, when connected to a specific RACF group
  • A specific RACF user
To define the profile, use the RDEFINE command: 
RDEFINE PTKTDATA profile-name SSIGNON(key-description) UACC(access-authority)
where:
PTKTDATA
specifies the PassTicket key class.
profile-name
is the name of the profile (see Determining PTKTDATA profile names).

For the PTKTDATA class, the profile must be a discrete profile. Because each application must be uniquely defined, you cannot specify a generic profile in the PTKTDATA class. If you specify a generic profile, it is ignored during PassTicket processing for the application, and PassTickets cannot be used to authenticate users for that application.

key-description
defines the secured signon application key and specifies the method RACF is to use to protect it in the RACF database on the host. You can specify either masking or encryption for the method (see Protecting the secured signon application keys).

Secured signon keys are 64-bit Data Encryption Standard (DES) keys. With DES, eight of the 64 bits are reserved for use as parity bits, so those eight bits are not part of the 56-bit key. In hexadecimal notation, the DES parity bits are: X'0101 0101 0101 0101'. Any two 64-bit keys are equivalent DES keys if their only difference is in one or more of these parity bits.

access-authority
is the universal access authority to be associated with the resource protected by this profile. By default, the UACC is NONE for the PTKTDATA class.
After a profile in the PTKTDATA class has been created, you can change it with the RALTER command, which is similar in syntax to the RDEFINE command: 
RALTER PTKTDATA profile-name SSIGNON(key-description) UACC(access-authority)
Parent topic: Using the secured signon function

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014