Signon security

When signing on to a back-end system, FEPI applications can ask the external security manager (ESM) to supply a password substitute, or PassTicket. (For an explanation of why PassTickets are necessary, see topic Signon security.)

How to use PassTickets

This section is an overview of how PassTickets work, and describes what you need to do to use them. For detailed information about PassTickets, see the OS/390 Security Server (RACF) Security Administrator’s Guide.

  1. To process PassTickets, the ESM uses keys, known as Secure Signon keys, that are shared by the front- and back-end systems. You must define a Secure Signon key for each target system with which FEPI communicates. For information about how to do this, RACF® users should refer to the OS/390 Security Server (RACF) System Programmer’s Guide. Users of other ESMs should refer to the documentation for their product.
  2. The end-user is verified by signing on to the front-end CICS® in the usual way.
  3. When he or she runs a transaction that uses FEPI, your application issues a FEPI REQUEST PASSTICKET command to obtain a PassTicket 1 . A PassTicket is a secure representation of a password that can be used to sign on to the back-end system. It is valid for one use only, and is time-stamped. The userid for which the PassTicket is generated is that of the currently signed-on user. Your FEPI application can use an EXEC CICS ASSIGN command to check the userid of the currently signed-on user.
  4. Your FEPI application uses the PassTicket and userid to perform a sign-on in the back-end system, just as if it were sending a password and userid. For example:
    EXEC CICS FEPI SEND FORMATTED
                        CONVID(convid) FROM(CESN userid PassTicket)
                        FROMLENGTH(length_of_data)
    It is the application’s responsibility to provide the signon processing, because CICS cannot know either the type of back-end (CICS or IMS™) or the back-end program being used for signon processing.
  5. The back-end system uses an unchanged interface to perform the sign-on. Thus, a CICS system receiving a userid and a PassTicket can use its existing procedures to sign on the userid. RACF takes care of the fact that a PassTicket, rather than a password, is passed to it.
Note:
If the PassTicket times out (because, for example, of a session failure), your application should generate another and try to sign on again. If signon continues to fail and the front- and back-ends are in different MVS™ systems, check that the TOD clocks are suitably synchronized. Too many failed signon attempts could result in the userid being revoked.

For information about using RACF with CICS, see the CICS RACF Security Guide.

Benefits

The advantages of using PassTickets are that:

Requirements


1.
If EDF is being used the PassTicket is not displayed.

[[ Contents Previous Page | Next Page Index ]]