IBM Support

OMEGAMON® PassTicket Support

Question & Answer


How can I get OMEGAMON® Classic and OMEGAMON II® FOR MVS to work with PassTicket?


PassTicket access works with both RACF and ACF2, and there are various ways of implementing it.

  1. Use it for OMEGAMON® classic only.  No special changes are needed to KOMRACFX. See KOMACF2X changes at the bottom of this technote. 
    In this case, you can turn off logon security for OMEGAMON II® for MVS, because the logon to OMEGAMON II® for MVS cannot complete until an underlying logon to OMEGAMON® classic completes successfully.  You need to modify the RKANPARU(KM2INNAM) member and comment out SAF, and specify NORACF NODB
    You still need to enter the valid userid and password at the CUA logon, but it would be validated by OMEGAMON® classic only.
  2. Use it for CUA only.  You can set up OMEGAMON® classic to use internal security (no KOMRACFX or KOMACF2X) and no special changes are needed.  You need to set up internal passwords in the RKANPARU(KOMSUPDI) member so that if you want to issue a level3 secured command, you can use the /PWD command to get the proper internal security level.
  3. Use it for both CUA and Classic. 

For OMEGAMON® classic, you need to make sure that the PTKTDATA Profile is set up for the 'CANDLE' application.
That is because the RACF exit, KOMRACFX, uses 'CANDLE' as the application name on the RACF calls.

A logon to the OMEGAMON II® (CUA) works using PassTicket, when you have a valid PTKTDATA profile set up for the CUA applid.

If you choose option 3, problems arise when the CUA attempts an internal logon to the classic applid. That fails because it attempts to re-use the same PassTicket on that internal logon.  By default, the same PassTicket cannot be reused with a different application.  In order to get around this, there are two things that you need to do:

  • a. Modify the KOMRACFX exit so that the classic logon will use the same CUA application on the RACF calls. In the exit, look for this line:  M$APPL DC CL8'CANDLE'
    That defines 'CANDLE' as the application being used. Change 'CANDLE' to be your CUA applid. Then the internal classic logon will use the same application, and will be able to reuse the PassTicket.
  • b. In order to be able to reuse the PassTicket, you need to specify APPLDATA('NO REPLAY PROTECTION') on the PTKTDATA resource.  That allows the same PassTicket to be reused for up to 10 minutes.

Special instructions for ACF2 (KOMACF2X) suggested by CA-ACF2.

1) Add the lines with the @xx marker at the end
2) Change =CL8'applname' to specify your application name

*        MOVE CURRENT PASSWORD INTO ACF2 ACVALD                     @08
*                                                                   @08
         LA    R0,ACVPSWD                       DESTINATION         @08
         LA    R1,L'ACVPSWD                     DEST LENGTH         @08
         LA    R14,U#CHRPW+1                    RELOGON PASSWORD    @08
         SLR   R15,R15                                              @08
         IC    R15,U#CHRPW                  RELOGON PASSWORD LENGTH @08
         ICM   R15,B'1000',=C' '                PAD WITH BLANKS     @08
         MVCL  R0,R14                           MOVE LONG           @08
         MVC   ACVSRCE,U#LUNAME             LU NAME FOR ERR MSG     @10
*                                                                   @xx
*        MOVE IN THE REST OF THE VALUES NEEDED                      @xx
*                                                                   @xx
         MVC   ACVXAPPL,=CL8'applname'  <= Specify application name @xx
         LA    R1,ACVLEN                                            @xx
         STH   R1,ACVXLENU                                          @xx
         OI    ACVACNTL,ACVAEXT                                     @xx
*                                                                   @08
*        CALL ACF2 FOR THE LOGON VALIDATION                         @08
*                                                                   @08
         ACFSVC  (R2),TYPE=A,CVT=HAVE,NONE=A$EXIT0                  @08
*                                                                   @08                                                                                  

3) Increase the size of the ACF2 work area:                

M#ACF2WK DS    CL140                 ACF2 WORKAREA                   
needs to be:                                                          
M#ACF2WK DS    CL158                 ACF2 WORKAREA                  @xx

4) Change references to M#ACF2WK to use the new length
XC    M#ACF2WK(140),M#ACF2WK
needs to be
XC    M#ACF2WK(158),M#ACF2WK

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSNU68","label":"Tivoli OMEGAMON II for MVS"},"ARM Category":[{"code":"","label":""}],"Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"All Versions","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Document Information

Modified date:
19 May 2020