CA IDMS 18.5 for z/OS now supports the use of PassTickets. PTF RO67787 containing this new functionality has been published.
Note: For detailed information about PassTickets, see the CA IDMS Security Administration Guide (the relevant changes are listed in the Documentation Changes section):
Overview of the PassTicket Functionality
Using PassTickets requires the use of an external security system such as CA Top Secret, CA ACF2 or IBM RACF.
A PassTicket can be described as a temporary substitute for a password, which means that PassTickets are:
- Single-use—You can only log on once using a PassTicket. Any further attempts to log on using the same PassTicket are rejected unless multiple-use is allowed in the external security system.
- Time-limited—The PassTicket must be used within 10 minutes, after this time it becomes invalid and logging on using this PassTicket is no longer possible.
PassTickets are generated by an authorized program (not CA IDMS) explicitly for a particular user and application. A PassTicket consists of the following elements:
- User ID
Application name (Applid)
The Applid is a unique identifier to the IDMS CV system. The Applid is composed of the first VTAM line defined to the system. If no VTAM lines exist, the system node name (SYSTEM ID) of the CA IDMS CV is used instead.
- Session key
- Date and time information
PassTickets are typically used in situations where it is desired to avoid sending a multi-use password without any time limitation across a computer network in clear text.
PassTicket Processing in CA IDMS
In a typical situation, PassTicket processing proceeds as follows:
- A user receives a PassTicket and enters a user name and PassTicket to log on.
- CA IDMS Central Security invokes IBM’s System Authorization Facility (SAF) and provides log on information to the appropriate external security manager (e.g. CA ACF2, CA Top Secret, IBM RACF).
- The external security system processes the sign on attempt and checks the password/PassTicket.