How to set up RACF definitions when implementing PassTickets with IDMS

Document ID : KB000048241
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Using PassTickets to access an IDMS CV system requires these definitional components:

  • RACF security definitions
  • Information defined in the IDMS security type table (SRTT).

The major components used in this process are the user id, the application id, the system id of the CV, the session key, and the resource class.

Solution :

Note : All of the following definitions are examples and can vary by installation, for instance if the session key is encrypted instead of masked. Other parameters can be selected for auditing, performance and other installation-specific needs.

Follow these steps:

  1. Create entries in the SRTT and issue supporting RACF commands to secure system signon externally.
    Note : For more information, see the Knowledge Base article with the document ID: TEC476864.

  2. Create a profile in the PTKTDATA class for each application to which you want to grant users access (the PTKTDATA class must be activated).
    The application id (applid) for an IDMS CV system is the id of the first VTAM line (or the system nodename if no VTAM lines are defined).
    A session key is a secured SIGNON application key in hex representation (maximum 16 characters). Both the PassTicket generator and the target application must use the same session key.

    Example : For a CV where the applid (in this case the first VTAM line) is APLID851:

    RDEFINE PTKTDATA APLID851 OWNER(ADMIN) UACC(NONE) AUDIT(ALL(READ)) -
    SSIGNON(KEYMASKED(1234567890ABCDEF)) UACC(NONE)

  3. Add permission for a user to generate and use a PassTicket for an application.
    Example : For the applid APLID851 and the user FIMX06, issue the following commands:

    RDEFINE PTKTDATA IRRPTAUTH.APLID851.** OWNER(ADMIN) AUDIT(ALL(READ))
    PERMIT IRRPTAUTH.IDMSAPPL.** CLASS(PTKTDATA) ID(FIMX06) ACCESS(UPDATE)
    SETROPTS RACLIST (PTKTDATA) REFRESH

  4. (Optional) If PassTicket logins are processed via a CL Supersession, define a PTKTVAL where the format for PTKTVAL profile is < target application>.<requesting application>.userid.

    Example : For the target application id APLID851 and the requesting application id CLSSAPPL, issue the following commands:

    RDEFINE PTKTVAL APLID851.CLSSAPPL.** OWNER(ADMIN) AUDIT(ALL(READ))
    PERMIT APLID851.CLSSAPPL.** CLASS(PTKTVAL) ID( )
    SETROPTS RACLIST (PTKTVAL) REFRESH