Enable CICS to validate incoming PassTickets

The procedure for enabling CICS® to validate incoming PassTickets depends on which ESM your environment uses. The procedure presented here is for RACF®. Other ESMs (such as eTrust CA-ACF2 and eTrust CA-Top Secret) have similar facilities for PassTickets. For details, see the documentation for those products.

To enable CICS to validate incoming PassTickets using RACF:

  1. Activate the RACF general resource class PTKTDATA:
    SETROPTS CLASSACT(PTKTDATA)
    SETROPTS RACLIST(PTKTDATA)

    The resource class PTKTDATA holds the encryption key used to create and validate PassTickets.

  2. Define a profile for CICS Configuration Manager:
    TSO RDEFINE PTKTDATA applid SSIGNON(KEYMASKED(password-key))
                         APPLDATA('NO REPLAY PROTECTION')
    where:
    applid
    Application ID of the CICS region that will run the CICS Configuration Manager server. For example, CCVROCKS.
    password-key
    16-character secured signon application key. For example, 0123456789abcdef.
    Note: After you define or change the profile, you need to refresh the class:
    SETROPTS RACLIST(PTKTDATA) REFRESH

    No replay protection?

    Specifying "no replay protection" can improve CICS Configuration Manager performance, because it allows the CICS Configuration Manager client to reuse the same PassTicket for successive API calls.

    If replay protection is on (the default), RACF does not allow PassTickets to be reused, so the client must create a new PassTicket for each API call. The algorithm for generating PassTickets uses the current time to the nearest second. To ensure a unique PassTicket, the client may need to wait for one second between API calls. Specifying "no replay protection" solves this performance issue.

    With or without replay protection, PassTickets expire after approximately 10 minutes.