Is there a way to use pass tickets for the CA TPX sessions that we have set up to use a secondary userid?

Document ID : KB000004776
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

We have some sessions set up with session option ACL Userid so that the user signs on to that application with a different userid than they used to sign on to TPX.  When we change this application to use pass tickets, signon fails:

TPXL0926 mm/dd/yy.xxx hh:mm:ss.xx ACLUSER FIELD INVALID FOR PASSTICKET : GEN FAILED 
FOR USERID: USER01A SESSION: TSOB ACLUSER: USER01B

Cause:

TPX will only request pass ticket generation for the userid that originally signed on to TPX.  

It would be a significant security breach to request pass ticket generation for any other userid since there is no way to validate this.

By design, TPX will fail the session setup and generate message TPXL0926.

Resolution:

The only options are:

  • Do not use pass tickets for this application
  • Enable the signon to the application for the userid that originally signed on to TPX
  • Where appropriate, enable multiple signons for a single userid within the application and external security
  • Sign on to TPX with the secondary userid
Additional Information:

ACL Userid field is available in User or Profile Maintenance - Session Options (not in ACT):

                  TPX Profile Table Detail Panel                               

                                                            Panelid  - TEN0114 

 Command ===>                                               Userid   - 

                                                            Termid   - 

Profile:  BASEPROF                                          Date     - 

Session:  ABCTSO                                            Time     - 

                                    Application    System                      

                                    Defaults       Defaults                    

Applid/Tier LVL:  ABCITSO                                                      

ACCESS=PASS:      _                                MULTIPLE                    

Timeout min.:     ______            ______         00000060                    

Modent name:      ________          ________                                   

Sesskey:          PF __             ______                                     

Start at signon:  _                                                            

Startup ACL:      ________          DISPACL1                                   

ACL Userid:       ________                                                     

ACL Password:     ________                                                     

Term ACL:         ________          ________                                   

ACB Mask:         ________                                                     

KeepACB:          _                 N                                          

Invisible:        _                                                            

OV/MVS ACI:       _                                                            

                                                                               

PF1=Help    PF3=End    PF4=Return   PF8=Next Page       "CANCEL" cancel      

 

From field level help:

ACL Userid specifies the one- to eight-character user ID that the ACLPGM uses as the &USERID parameter for this session. 

ACL Password specifies the one- to eight-character password that the ACLPGM uses as the &PSWD parameter for this session.