Setting up for PassTicket key usage on z/OS

Edit online

About this task

To establish a connection using a PassTiket key on z/OS® , you will need to interact with the Copy Services Manager (CSM). This process can be completed through either the Command Line Interface (CLI) or the Graphic User Interface (GUI). In this procedure, you'll create a PassTicket Key on the z/OS system, which is crucial for effectively using the CSM CLI or GUI. The purpose of this PassTicket Key is to generate the specific password required for the z/OS host connection. This password is instrumental in facilitating the successful implementation of a PassTicket on the z/OS system.
Note:

To utilize PassTicket functionality, ensure that the z/OS PTFs for IOS APAR OA62931 are installed, and the mainframe system version is V2.4 or above. The PassTicket function is enabled by installing these PTFs, which are installation packages deployed by SMP/e.

The following commands can be executed from TSO commands or from the interactive ISPF RACF Utility. The examples below are entered into ISPF option 6 to run commands in this scenario.

Procedure

  1. Run sample job IWNRACF5 to create a user that will be used as the default with the PassTicket CKDS in step 5. The user is set to HOSTUSR as the default in IWNRACF.
  2. If you have not already activated the PassTicket class, it will be necessary to execute the following command: 
    SETROPTS CLASSACT(PTKTDATA) RACLIST(PTKTDATA)
  3. Refresh the RACF system in order to enable the PassTicket. 
    SETROPTS RACLIST (PTKTDATA) REFRESH
  4. Generate an enhanced PassTicket key with a key size no greater than 2048 for enhanced PassTicket usage. Protect this key as it is going to be used by the client to generate a PassTicket token to allow Single Sign-On for the application to access HSIB Sockets. For more information, see Using PassTickets. If you encounter any trouble generating your PassTicket key, contact IBM support.
  5. Define a PassTicket profile for IOSHMCSM and the associated user created in Copy Services Manager sample job IWNRACF5. In the following example, the IOSHMCSM.HOSTUSR would be created as the PassTicket Single Sign-On to be associated with the CKDS dataset generated which is USRLCL.CKDS.CSM. The only value supported for the TYPE is UPPER. A TIMEOUT value of 600 is recommended. 
    SSIGNON(EPTKEYLABEL(USRLCL.CKDS.CSM)
RDEFINE PTKTDATA IOSHMCSM.HOSTUSR
TYPE(UPPER) TIMEOUT(600)) APPLDATA('CSM TO HYPERSWAP CONNECTION')
    Note: If user has already done a first pass on this step and executed RDEFINE, thereafter use RALT. 
    SSIGNON(EPTKEYLABEL(USRLCL.CKDS.CSM)
RALT PTKTDATA IOSHMCSM.HOSTUSR
TYPE(UPPER) TIMEOUT(600)) APPLDATA('CSM TO HYPERSWAP CONNECTION')
  6. The last step is to enable the change in the RACF list for PassTicket data. 
    SETROPTS RACLIST (PTKTDATA) REFRESH

    In addition, it is important to note that when creating a PassTicket key on a z/OS server, the system time must be set to match the client's time within the defined timeout period of up to 10 minutes. Failure to synchronize the server and client times may result in the PassTicket key being marked as expired due to the time factor in the code generation algorithm. Furthermore, when connecting to unique z/OS hosts from a Copy Services Manager server, it is possible to use different authentication methods for each host. For instance, one can connect to hostA using a password while connecting to hostB using a PassTicket key. However, it is not possible to connect to the same z/OS host from a Copy Services Manager server using different authentication methods. Lastly, it is worth mentioning that an existing z/OS host connection, initially set up with a password, can be modified to use a PassTicket key. Once the change is made, the PassTicket key will be utilized for generating the password required to authenticate the z/OS host connection going forward.