The RACF PassTicket
The RACF® PassTicket is a one-time-only password that is generated by a requesting product or function. It is an alternative to the RACF password that removes the need to send RACF passwords across the network in clear text. It makes it possible to move the authentication of a mainframe application user ID from RACF to another authorized function executing on the host system or to the work station local area network (LAN) environment.
- Generating a PassTicket.
- Evaluating a PassTicket.
RACF PassTickets can be configured with two different
algorithms: - The legacy PassTicket algorithm
- The enhanced PassTicket algorithm
The legacy PassTicket algorithm is the original PassTicket
implementation and uses a DES secret key. The enhanced PassTicket algorithm is an updated version of
the PassTicket algorithm and uses an HMAC secret key. RACF supports generation and evaluation of
PassTickets with either the legacy PassTicket algorithm or the enhanced PassTicket algorithm based
on system configuration. IBM highly recommends using the enhanced PassTicket algorithm as it
provides the same capabilities as the legacy PassTicket algorithm but also provides increased
security.
For more information on configuring PassTickets, see “The
RACF PassTicket” in the
z/OS Security Server RACF Security Administrator's Guide