Question & Answer
PassTicket access works with both RACF and ACF2, and there are various ways of implementing it.
- Use it for OMEGAMON® classic only. No special changes are needed to KOMRACFX. See KOMACF2X changes at the bottom of this technote.
In this case, you can turn off logon security for OMEGAMON II® for MVS, because the logon to OMEGAMON II® for MVS cannot complete until an underlying logon to OMEGAMON® classic completes successfully. You need to modify the RKANPARU(KM2INNAM) member and comment out SAF, and specify NORACF NODB
You still need to enter the valid userid and password at the CUA logon, but it would be validated by OMEGAMON® classic only.
- Use it for CUA only. You can set up OMEGAMON® classic to use internal security (no KOMRACFX or KOMACF2X) and no special changes are needed. You need to set up internal passwords in the RKANPARU(KOMSUPDI) member so that if you want to issue a level3 secured command, you can use the /PWD command to get the proper internal security level.
- Use it for both CUA and Classic.
For OMEGAMON® classic, you need to make sure that the PTKTDATA Profile is set up for the 'CANDLE' application.
That is because the RACF exit, KOMRACFX, uses 'CANDLE' as the application name on the RACF calls.
A logon to the OMEGAMON II® (CUA) works using PassTicket, when you have a valid PTKTDATA profile set up for the CUA applid.
If you choose option 3, problems arise when the CUA attempts an internal logon to the classic applid. That fails because it attempts to re-use the same PassTicket on that internal logon. By default, the same PassTicket cannot be reused with a different application. In order to get around this, there are two things that you need to do:
- a. Modify the KOMRACFX exit so that the classic logon will use the same CUA application on the RACF calls. In the exit, look for this line: M$APPL DC CL8'CANDLE'
That defines 'CANDLE' as the application being used. Change 'CANDLE' to be your CUA applid. Then the internal classic logon will use the same application, and will be able to reuse the PassTicket.
- b. In order to be able to reuse the PassTicket, you need to specify APPLDATA('NO REPLAY PROTECTION') on the PTKTDATA resource. That allows the same PassTicket to be reused for up to 10 minutes.
Special instructions for ACF2 (KOMACF2X) suggested by CA-ACF2.
1) Add the lines with the @xx marker at the end
2) Change =CL8'applname' to specify your application name
* MOVE CURRENT PASSWORD INTO ACF2 ACVALD @08
LA R0,ACVPSWD DESTINATION @08
LA R1,L'ACVPSWD DEST LENGTH @08
LA R14,U#CHRPW+1 RELOGON PASSWORD @08
SLR R15,R15 @08
IC R15,U#CHRPW RELOGON PASSWORD LENGTH @08
ICM R15,B'1000',=C' ' PAD WITH BLANKS @08
MVCL R0,R14 MOVE LONG @08
MVC ACVSRCE,U#LUNAME LU NAME FOR ERR MSG @10
* MOVE IN THE REST OF THE VALUES NEEDED @xx
MVC ACVXAPPL,=CL8'applname' <= Specify application name @xx
LA R1,ACVLEN @xx
STH R1,ACVXLENU @xx
OI ACVACNTL,ACVAEXT @xx
* CALL ACF2 FOR THE LOGON VALIDATION @08
ACFSVC (R2),TYPE=A,CVT=HAVE,NONE=A$EXIT0 @08
3) Increase the size of the ACF2 work area:
M#ACF2WK DS CL140 ACF2 WORKAREA
needs to be:
M#ACF2WK DS CL158 ACF2 WORKAREA @xx
4) Change references to M#ACF2WK to use the new length
needs to be
19 May 2020