When configuring TPX for pass tickets, when do I need to define ACT parameter Pass Ticket prof name?

Document ID : KB000031020
Last Modified Date : 20/02/2018
Show Technical Document Details
Introduction:

A pass ticket is a one-time only password substitute that is automatically generated by an authentication server, such as IBM's Network Security Program or CA's Single Signon Option, on behalf of a client workstation requesting access to a mainframe application like CA TPX. After a user is signed on, pass tickets can also be generated for applications subsequently accessed through this product. The use of pass tickets requires you to complete administrative maintenance.

The pass ticket eliminates the need for users to manually type their password on the TPX logon screen and eliminates the transmittal of the same password in clear text across networks. The feature also provides application security, because a pass ticket is a one-time only password.

Pass tickets are supported by CA ACF2, CA Top Secret, and RACF.

Question:

When configuring TPX for pass tickets and/or qualified pass tickets, when do I need to define ACT parm 'Pass Ticket prof name'?

    Answer:

    Set 'Pass Ticket Prof name' when this profile name needs to be supplied to the external security system instead of the applid during Pass Ticket generation.

    • When ACT field Pass Ticket Prof Name is empty, TPX issues the pass ticket request with the USERID & APPLID.
    • When ACT field Pass Ticket Prof Name contains a profile name, TPX issues the pass ticket request with the USERID & Pass Ticket Prof Name.

    NOTE:  There is no session level parameter at either user or profile level for specifying this profile name.  It can only be specified within the Application Characteristics Table (ACT). 

     

    We know that this is usually required for TSO and VM systems, where this parameter will have the value "TSOsmfid" or "VMcpuid".

    • TSO - TSOsmfid
    • VM - VMcpuid

    Other applications requiring Pass Ticket prof name, as provided to us by TPX customers:  (Please verify for your environment.)

    • MVSxxxx system default
      • CA7
      • CADISP 
      • NETVIEW 
      • EXIGENCE 
      • IMPLEX 
    • APPLID of application 
      • TMONDB2
    • SESSIONID >>> Note that this was not the APPLID but rather the SESSIONID defined in TPX.
      • ABENDAID

    There may be additional applications where this parameter is also required.  That should be determined in conjunction with the application vendor and your security administrator.

    A security trace on the application may help identify which parameters the application is sending to security for validation.  TPX can then be defined to request pass ticket creation for the same parameters.

    Additional Information: