A PassTicket is a program-generated character string that can be used in
place of a password, with the following constraints:
- A specific PassTicket may be used for authentication once.
- The PassTicket must be used within 10 minutes of being generated.
- To ease the problem of system time differences, a specific PassTicket
can be used up to 10 minutes earlier or later in a target system, compared
to the generating system.
Front end programming interface (FEPI) security can generate a PassTicket
for use on a target system. The PassTicket can be used anywhere a password
can be used.
Note: The PassTicket generation and validation algorithm means that
the system that creates the PassTicket and the system that validates it must
both use the same level of this function. That is, if the creating system
has the function applied, and the validating system does not, the PassTicket
is invalid.
For more information about the system time differences, and the use of
the PassTicket within the 10 minute interval, see the z/OS Security Server RACF Security Administrator's Guide.
Use the PTKTDATA resource class to define profiles that contain the encryption
key used for generating and validating PassTickets.
A profile is added for each APPLID that receives sign-ons with PassTickets.
The format of the command to add profiles is:
RDEFINE PTKTDATA applid
SSIGNON(KEYMASKED(password-key))
KEYENCRYPTED(password-key))