For each application that users can gain access to with the PassTicket,
you must create at least one profile in the PTKTDATA class. The profile
associates a secret secured signon application key with a particular
application on a particular system. The profiles can be created so
they apply to:
- All users who need access to the application
- A specific RACF® group of
users who need access to the application
- A specific RACF user, when
connected to a specific RACF group
- A specific RACF user
To define the profile, use the RDEFINE command:
RDEFINE PTKTDATA profile-name SSIGNON(key-description) UACC(access-authority)
where:
- PTKTDATA
- specifies the PassTicket key class.
- profile-name
- is the name of the profile (see Determining PTKTDATA profile names).
For
the PTKTDATA class, the profile must be a discrete profile. Because
each application must be uniquely defined, you cannot specify a generic
profile in the PTKTDATA class. If you specify a generic profile, it
is ignored during PassTicket processing for the application, and PassTickets
cannot be used to authenticate users for that application.
- key-description
- defines the secured signon application key and specifies the method RACF is to use to protect it in
the RACF database on the host.
You can specify either masking or encryption for the method (see Protecting the secured signon application keys).
Secured signon keys are 64-bit Data
Encryption Standard (DES) keys. With DES, eight of the 64 bits are
reserved for use as parity bits, so those eight bits are not part
of the 56-bit key. In hexadecimal notation, the DES parity bits are: X'0101
0101 0101 0101'. Any two 64-bit keys are equivalent DES keys
if their only difference is in one or more of these parity bits.
- access-authority
- is the universal access authority to be associated with the resource
protected by this profile. By default, the UACC is NONE for the PTKTDATA
class.
After a profile in the PTKTDATA class has been created, you can
change it with the RALTER command, which is similar in syntax to the
RDEFINE command:
RALTER PTKTDATA profile-name SSIGNON(key-description) UACC(access-authority)