Previous Topic: How to Configure CA CSM PassTickets for CA ChorusNext Topic: Sample: Use CA Top Secret to Configure PassTickets to Connect to CA CSM from CA Chorus

How to Configure CA CSM PassTickets for CA ChorusSample: Use CA ACF2 to Configure PassTickets for Connecting to CA CSM from CA Chorus

Sample: Use CA ACF2 to Configure PassTickets for Connecting to CA CSM from CA Chorus

This sample shows how a security administrator configures PassTickets for connecting to CA CSM from CA Chorus after they have run the ETJI095x security job.

Note: The commands in this procedure are samples. For detailed information about using these commands, see the CA ACF2 for z/OS Administration Guide.

This procedure requires that you set up security on the CA Chorus server and the CA CSM server. The following procedure highlights where you are working and when your focus shifts to a new server. Note the following definitions that apply to both servers:

applid

Defines the application ID used for PassTicket validation for the CA Chorus Quick Links module. Replace applid with your CA CSM applid. For CA CSM configuration details, see Update the CA CSM Startup Parameters.

Default: CSMAPPLM

MULT-USE

Lets you reuse the same PassTicket multiple times.

SSKEY

Defines an encryption key for the application in the format of 16 random hexadecimal digits that are different from the values shown in the example.

Note: This example demonstrates a complete key SESSKEY value of 16 hexadecimal digits (creating an 8-byte or 64-bit key). Each application key must be the same on all systems in the configuration and the values must be kept secret and secured.

CA Chorus Server Side Steps

  1. Allow individual users to access CA CSM: 
    SET RESOURCE(SAF)
RECKEY applid ADD(UID(chorus_userid) SERVICE(READ) ALLOW)
F ACF2,REBUILD(SAF)
    chorus_userid

    Users who need to access CA CSM through the Quick Links module.

    PassTickets are configured on the CA Chorus server side.

(Optional) CA CSM Server Side Steps

Note: If you inserted a GSO CLASMAP record to change the type code for the APPL class to APL, use APL instead of SAF for TYPE in the following commands.

Important! If CA Chorus and CA CSM are not on the same machine, steps 1 and 2 are required. Step 3 is required in all situations.

  1. Define the CA CSM connection application session key: 
    SET PROFILE(PTKTDATA) DIV(SSIGNON)
INSERT applid SSKEY(0123456789ABCDEF) MULT-USE
F ACF2,REBUILD(PTK),CLASS(P)
  2. Permit the CA CSM started task user ID to generate and evaluate PassTickets on behalf of CA CSM users: 
    SET RESOURCE(PTK)
RECKEY IRRPTAUTH ADD(applid.- UID(uid-of-csm_stc_userid) 
SERVICE(UPDATE,READ) ALLOW)
F ACF2,REBUILD(PTK)
    uid_csm_stc_userid

    Specifies the CA CSM application server started task user ID. This ID must be able to generate PassTickets for any user.

    Default: MSMSERV

  3. Allow individual users to access CA CSM: 
    SET RESOURCE(SAF)
RECKEY applid ADD(UID(uid-csm_userid) SERVICE(READ) ALLOW)
F ACF2,REBUILD(SAF)

    PassTickets are configured on the CA CSM server side.

    To complete PassTicket setup, go to Update the CA CSM Startup Parameters.