How do I setup CA-ACF2 to use passtickets?

Document ID : KB000046051
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:

How do I setup passtickets using CA ACF2?

 

Answer:

The role of CA-ACF2 in passticket processing is to provide the security key to be used in encrypting a passticket.

CA-ACF2 stores the keys in PTKTDATA profile records, as documented in the CA-ACF2 Security for z/OS Administrator Guide.

It is up to the application to present the appropriate user information to CA-ACF2 for the passticket processing.

You as administrator will create a profile record with a key specification. i.e. the SSKEY as in the example:

INSERT TSOSYS1 SSKEY(C237D18425CFE12D)

The SSKEY is something you can make up. It is used as input into the passticket generator.
The SSKEY is used to create the passticket that will eventually be used instead of a password.

This SSKEY is used to create a passticket when an application issues the following request asking for one:

L 15,RCVTPTGN
CALL (15),(userid,applname)

The RCVTPTGN points to the passticket generator program SAFPTGEN (supplied with CA ACF2). What is returned is a passticket.
Then, when the application wants to use that passticket, it is passed as the password with the userid on a normal "signon" request.
This could be a RACROUTE REQUEST=VERIFY call or a direct ACFSVC call.
If dealing with an application that already handles passticket process it may be that the only setup required is the profile records,
everything else is already in place.
The application code needs to be apf/key zero.

Lastly, the passticket is designed to be one-time-use only.
It is good for 10 minutes.
There is a mult-use option in the CA-ACF2 profile record which allows the passticket to be used more than once but still
only for 10 minutes after it is generated.