The procedure for activating PassTicket processing depends on which ESM your environment uses. The procedure presented here is for RACF®. Other ESMs (such as eTrust CA-ACF2 and eTrust CA-Top Secret) have similar facilities for PassTickets. For details, see the documentation for those products.
To activate PassTicket processing using RACF,
perform the following steps. You must perform these steps on each
logical partition (LPAR) on which you will be running a CICS® Configuration
Manager server or client.
SETROPTS CLASSACT(PTKTDATA)
SETROPTS RACLIST(PTKTDATA)
The resource class PTKTDATA holds the encryption key used to create and validate PassTickets.
TSO RDEFINE PTKTDATA applid SSIGNON(KEYMASKED(password-key))
APPLDATA('NO REPLAY PROTECTION')
where: SETROPTS RACLIST(PTKTDATA) REFRESH
(You must refresh the class after you define or change the profile.)
No replay protection?
Specifying "no replay protection" can improve CICS Configuration Manager performance, because it allows the CICS Configuration Manager client to reuse the same PassTicket for successive API calls.
If replay protection is on (the default), RACF does not allow PassTickets to be reused, so the client must create a new PassTicket for each API call. The algorithm for generating PassTickets uses the current time to the nearest second. To ensure a unique PassTicket, the client may need to wait for one second between API calls. Specifying "no replay protection" solves this performance issue.
With or without replay protection, PassTickets expire after approximately 10 minutes.