Can I Use Passtickets With The FTP Application?

Document ID : KB000054377
Last Modified Date : 14/02/2018
Show Technical Document Details


To secure FTP and connection, the standard is to use SSL and Digital Certificates.

But under specific circumstances, you may want to secure your FTP connection other alternatives besides user/password and SSL.


Before securing FTP with passtickets, we must understand how passtickets work.

What is a Passticket?

It's an alternative to the mainframe password that permits workstations and client machines to communicate with the host. It allows a user to gain access to the host system without sending the mainframe password across the network.

PassTickets are cryptographically-generated, single-use, short-lifespan password substitutes. They are inherently more secure than passwords.

The Passticket is valid for a period of plus or minus 10 minutes (as measured on the GMT clock of the "central" system). It cannot be replayed. It is always a 8-character string (for example 6MP534fG could be the value of a Passticket).

Passtickets in CA Top Secret can be used with FTP and here are the steps required:

  1. Access to the FTP site must be done through an application that will request a passticket and pass it at connection time. A sample application is attached to this document.

  2. The application name and session key must be defined to the CA Top Secret NDT.

    Example:APPLICATION = OMVSAPPL          SESSION KEY = 123456789ABCDEF0

    tss add(ndt) pstkappl(omvsappl) sesskey(123456789ABCDEF0)

    To remove it:

    tss rem(ndt) pstkappl(omvsappl)

  3. By default, the default application name is passed on parameter 'APPL=' of the:


    by FTP to CA Top Secret at connection.

    It has the following format:

    FTPDx where 'x' can be '1' '2' etc...

    Modify the FTP STC in order to have the application name, you have chosen to be passed by FTP with the 'APPL=' parameter. See sample as follows:
  4. An alternative to step 3 is to use the CA Top Secret Installation Exit TSSINSTX PRE-INIT entry to change the application name in the RACROUTE parameter list. Please see the following example:
         PREINIT  DS    0H                                                             ICM   R3,15,TXA#@RFP           @@PLIST                               BZ    EXIT0                                                          ICM   R3,15,0(R3)              @PLIST                                BZ    EXIT0                                                          ICM   R3,15,48(R3)             @APPL Get application address         BZ    EXIT0                                                          CLC   0(4,R3),=C'FTPD'         Application starts with FTPD          BNE   EXIT0                                                          MVC   0(8,R3),=C'OMVSAPPL'                                           B     EXIT0

Note 1:
All samples given have been ONLY tested in test environments.

Note 2:
All sample given are for information purposes and CANNOT be considered as a CA extended product feature. Creation, maintenance and troubleshooting are the sole responsibility of the user.

Please see the CA Top Secret User Guide for more details about CA Top Secret Installation Exit 'TSSINSTX'.

File Attachments: