r_ticketserv failure for DB2 V11 Admin Server

Document ID : KB000015862
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Resolving r_ticketserv failure for DB2 V11 Admin Server.

Question:

We are attempting to implement the DB2 V11 Admin Server. I am getting an error regarding passtickets when a DBA attempts to schedule a task using the Admin server. In the Vilolation report I see:

07/05/17 13:30:02 D01 DB2ACID DB1DADMT STC FAIL
RESOURCE TYPE & NAME : USSLOG R_TICKETSERV

Following this DB2 documentation link, I can see that in DB2 V10 an internal passticket requirement was created.

https://www.ibm.com/support/knowledgecenter/en/SSEPEK_10.0.0/admin/src/tpc/db2z_secureexecutionintaskscheduler.html

I don't understand how to accomplish this in Top Secret. Also, I don't necessarily want to even set a passticket up if the admin server can be made to work more simply.

Please advise me on what I need to do in Top Secret for support of the DB2 Admin server

Answer:

The problem with the r_ticketserv RC 8 8 24 is in definition of the PSTKAPPL or SESSKEY.

There are no failures on the z/OS side of things. The IRRPAUTH security checks to determine if the user is authorized to use passtickets received a RC 0. So the user is authorized to use passtickets.

Example:
TSS ADDTO(NDT) PSTKAPPL(application)
SESSKEY(abcdef12)

https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/using/issuing-commands-to-communicate-administrative-requirements/keywords/pstkappl-keyworddefine-an-application-id


PSTKAPPL
----------------
Use the PSTKAPPL keyword to define the application ID. Depending on the application, the secured signon function uses a specific method to determine the application ID:
• For CICS, IMS, or APPC applications, the application ID is defined using the standard naming conventions you use to define these applications in a VTAM APPL statement.
• For TSO, the application ID is defined by prefacing the SMF identifier of the system with the characters TSO. For example, TSOXE05, is the application ID for TSO on machine XE05. The SMF system ID can be found in SMFPRMxx member of SYS1.PARMLIB.
• For z/OS batch jobs that include TSS passwords in the JCL, you can replace the password with a PassTicket. The application ID for batch jobs is defined by prefacing the SMF identifier of the system with the characters z/OS. For example, OS/390 XE05 is the application ID for all batch jobs on machine XE05.


https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/using/issuing-commands-to-communicate-administrative-requirements/keywords/sesskey-keyworddefine-or-display-session-keys

SESSKEY
--------------
A hexadecimal “password” that is unique to each application assigned as a PassTicket. A SESSKEY is required for each PassTicket. This is user defined.

Range: 1 to 16 bytes

So the application generating the passticket must be using the same SESSKEY that you specified in the NDT.

If either of these are incorrect the r_ticketserv will fail.

It is the responsibility of the application to document the application name that will be used for the PSTKAPPL. 

So, to recap, the SESSKEY and PSTKAPPL need to be verified that they are using the correct values. The SESSKEY is user defined. You must use the same key specified in the NDT with the application. The PSTKAPPL must be the program name using the passticket and should be documented in the DB2 applications manuals.


IBM gave the following RACF commands to define passtickets to RACFL
RDEFINE PTKTDATA IRRPTAUTH.!DSNADMT!.* UACC(NONE) RDEFINE PTKTDATA !DSNADMT! +
SSIGNON(KEYMASKED(CACD4AD6D79ECA71)) +
UACC(NONE) APPLDATA('NO REPLAY PROTECTION') PERMIT IRRPTAUTH.!DSNADMT!.* CL(PTKTDATA) +
ID(!STARTUID!) ACCESS(UPDATE)
PERMIT !DSNADMT! CL(PTKTDATA) +
ID(!STARTUID!) ACCESS(UPDATE)
SETROPTS RACLIST (PTKTDATA) REFRESH
SETROPTS RACLIST (FACILITY) REFRESH
SETROPTS REFRESH GENERIC(*) RACLIST(PTKTDATA)
//*

Based on the above example 'DSNADMT' is the program name we need.

TSS ADDTO(NDT) PSTKAPPL(DSNADMT)
SESSKEY(abcdef12) SIGNMULTI


The following line defined the encryption key:

SSIGNON(KEYMASKED(CACD4AD6D79ECA71))

which is user defined.

Please make you add your user defined encryption key on the following command:

TSS ADDTO(NDT) PSTKAPPL(DSNADMT)
SESSKEY(abcdef12) SIGNMULTI


The following line defined the encryption key:

SSIGNON(KEYMASKED(CACD4AD6D79ECA71))

which is user defined.

Please make you add your user defined encryption key on the following command:

TSS ADDTO(NDT) PSTKAPPL(DSNADMT)
SESSKEY(your_encryption_key) SIGNMULTI

Please make sure the application is using the same encryption key when generating the passticket. Otherwise the passticket validation will fail.

The following PERMITs are also needed:

TSS PER(DB2ACID) PTKTDATA(IRRPTAUTH) ACCESS(UPDATE)
TSS PER(DB2ACID) IBMFAC(IRR.RTICKETSERV) ACCESS(UPDATE)
TSS PER(DB2ACID) IBMFAC(BPX.SERVER) ACCESS(UPDATE)