Generating and using RACF PassTickets

A PassTicket is a program-generated character string that can be used in place of a password, with the following constraints:

Front end programming interface (FEPI) security can generate a PassTicket for use on a target system. The PassTicket can be used anywhere a password can be used.

Note: The PassTicket generation and validation algorithm means that the system that creates the PassTicket and the system that validates it must both use the same level of this function. That is, if the creating system has the function applied, and the validating system does not, the PassTicket is invalid.

For more information about the system time differences, and the use of the PassTicket within the 10 minute interval, see the z/OS Security Server RACF Security Administrator's Guide.

Use the PTKTDATA resource class to define profiles that contain the encryption key used for generating and validating PassTickets.

A profile is added for each APPLID that receives sign-ons with PassTickets. The format of the command to add profiles is:
RDEFINE PTKTDATA applid
        SSIGNON(KEYMASKED(password-key))
        KEYENCRYPTED(password-key))