Configuring PassTicket support for the Distributed Data Server
If the RMF™ Distributed Data Server (DDS) is configured to require authentication (see Setting up the Distributed Data Server for z/OS), instead of a user ID and a password, a user ID and a PassTicket can be supplied.
For more information about PassTickets, see the z/OS Security Server RACF Security Administrator's Guide (SA22-7683).
A PassTicket is validated against an application name. The RACF® application name of the DDS is GPMSERVE. Before creating the necessary application profile, the RACF class PTKTDATA must be activated:
SETROPTS CLASSACT(PTKTDATA)
SETROPTS RACLIST(PTKTDATA)
RDEFINE PTKTDATA GPMSERVE SSIGNON(KEYMASKED(<key>))
where <key> is a user-supplied
16-digit value used to generate the PassTicket. You can specify a
value of your choice. Valid characters are 0 - 9 and A - F.The user calling the DDS must have RACF permissions in order to generate PassTickets. Define a profile in the PTKTDATA class controlling access to the PassTicket services and explicitly set the universal access authority to NONE:
RDEFINE PTKTDATA IRRPTAUTH.GPMSERVE.* UACC(NONE)
PERMIT IRRPTAUTH.GPMSERVE.* CLASS(PTKTDATA) ID(<user>) ACCESS(UPDATE)
where <user> is the user ID connecting to
the DDS. In a CIM environment, this is the user ID associated to the
CIM server started task.SETROPTS RACLIST(PTKTDATA) REFRESH