Previous Topic: Sample: Use CA ACF2 to Configure PassTickets for Connecting to CA CSM from CA ChorusNext Topic: Sample: Use IBM RACF to Configure PassTickets to Connect to CA CSM from CA Chorus

How to Configure CA CSM PassTickets for CA ChorusSample: Use CA Top Secret to Configure PassTickets to Connect to CA CSM from CA Chorus

Sample: Use CA Top Secret to Configure PassTickets to Connect to CA CSM from CA Chorus

This sample shows how a security administrator configures PassTickets for connecting to CA CSM from CA Chorus after they have run the ETJI095x security job.

Note: This procedure assumes that the PTKTDATA class and IRRPTAUTH resource ownership have been defined.

This procedure requires that you set up security on the CA Chorus server and the CA CSM server. The following procedure highlights where you are working and when your focus shifts to a new server. Note the following definitions that apply to both servers:

applid

Defines the application ID used for PassTicket validation for the CA Chorus Quick Links module. Replace applid with your CA CSM applid. For CA CSM configuration details, see Update the CA CSM Startup Parameters.

Default: CSMAPPLM

department

Identifies a preexisting department. The application is defined to this department. This ownership lets a department administrator (or higher) define permissions for PassTicket generation and validation.

SESSKEY

Defines an encryption key for the application in the format of 16 random hexadecimal digits that are different from the values shown in the example.

Note: This example demonstrates a complete key SESSKEY value of 16 hexadecimal digits (creating an 8-byte or 64-bit key). Each application key must be the same on all systems in the configuration and the values must be kept secret and secured.

SIGNMULTI

Permits reuse of the same PassTicket multiple times.

CA Chorus Server Side Steps

When you ran the ETJI095x job, you configured passtickets for this server.

(Optional) CA CSM Server Side Steps

Important! If CA Chorus and CA CSM are not on the same machine, complete this procedure.

  1. Define the CA CSM connection application session key: 
    TSS ADDTO(NDT) PSTKAPPL(applid) SESSKEY(0123456789ABCDEF) SIGNMULTI
  2. Permit the CA CSM started task user ID to generate and evaluate PassTickets on behalf of CA CSM users: 
    TSS PERMIT(csm_stc_userid) PTKTDATA(IRRPTAUTH.applid.) ACCESS(READ,UPDATE)
    csm_stc_userid

    Specifies the CA CSM application server started task user ID. This ID must be able to generate PassTickets for any user.

  3. Add the applid to the applicable department: 
    TSS ADDTO(department) APPLICATION(applid)
  4. Allow individual users to access CA CSM: 
    TSS PERMIT(csm_stc_userid) APPL(applid)

    PassTickets are configured on the CA CSM server side.

    To complete PassTicket setup, go to Update the CA CSM Startup Parameters.