Activate PassTicket processing and define a profile

The procedure for activating PassTicket processing depends on which ESM your environment uses. The procedure presented here is for RACF®. Other ESMs (such as eTrust CA-ACF2 and eTrust CA-Top Secret) have similar facilities for PassTickets. For details, see the documentation for those products.

To activate PassTicket processing using RACF, perform the following steps. You must perform these steps on each logical partition (LPAR) on which you will be running a CICS® Configuration Manager server or client.

  1. Activate the RACF general resource class PTKTDATA:
    SETROPTS CLASSACT(PTKTDATA)
    SETROPTS RACLIST(PTKTDATA)

    The resource class PTKTDATA holds the encryption key used to create and validate PassTickets.

  2. Define a profile for CICS Configuration Manager:
    TSO RDEFINE PTKTDATA applid SSIGNON(KEYMASKED(password-key))
                         APPLDATA('NO REPLAY PROTECTION')
    where:
    applid
    Application ID of the CICS region that will run the CICS Configuration Manager server. For example, CCVROCKS.
    Note: Using the VTAM GRNAME in place of the APPLID is not supported.
    password-key
    16-character secured signon application key. For example, 0123456789abcdef.
  3. Refresh the class:
    SETROPTS RACLIST(PTKTDATA) REFRESH

    (You must refresh the class after you define or change the profile.)

No replay protection?

Specifying "no replay protection" can improve CICS Configuration Manager performance, because it allows the CICS Configuration Manager client to reuse the same PassTicket for successive API calls.

If replay protection is on (the default), RACF does not allow PassTickets to be reused, so the client must create a new PassTicket for each API call. The algorithm for generating PassTickets uses the current time to the nearest second. To ensure a unique PassTicket, the client may need to wait for one second between API calls. Specifying "no replay protection" solves this performance issue.

With or without replay protection, PassTickets expire after approximately 10 minutes.


Information Information

Feedback


Timestamp icon Last updated: Friday, 1 November 2013


http://pic.dhe.ibm.com/infocenter/cicsts/v5r1/topic//ccv-install-passticket-activate.htm