Previous Topic: Sample: Use CA Top Secret to Configure PassTickets to Connect to CA CSM from CA ChorusNext Topic: Update the CA CSM Startup Parameters

How to Configure CA CSM PassTickets for CA ChorusSample: Use IBM RACF to Configure PassTickets to Connect to CA CSM from CA Chorus

Sample: Use IBM RACF to Configure PassTickets to Connect to CA CSM from CA Chorus

This sample shows how a security administrator configures PassTickets for connecting to CA CSM from CA Chorus after they have run the ETJI095x security job.

Note: Before you begin this procedure, verify that the PTKTDATA class and ownership for the PassTicket resource (IRRPTAUTH) have been defined.

This procedure requires that you set up security on the CA Chorus server and the CA CSM server. The following procedure highlights where you are working and when your focus shifts to a new server. Note the following definitions that apply to both servers:

applid

Defines the application ID used for PassTicket validation for the CA Chorus Quick Links module. Replace applid with your CA CSM applid. For CA CSM configuration details, see Update the CA CSM Startup Parameters.

Default: CSMAPPLM

KEYMASKED

Defines an encryption key for the application using values that are different from the values in the sample syntax.

Note: The sample syntax demonstrates a complete key value of 16 hexadecimal digits (creating an 8-byte or 64-bit key). Each application key must be the same on all systems in the configuration and the values must be kept secret and secured.

APPLDATA(‘NO REPLAY PROTECTION’)

Lets you use the same PassTicket multiple times.

CA Chorus Server Side Steps

When you ran the ETJI095x job, you configured passtickets for this server.

(Optional) CA CSM Server Side Steps

Important! If CA Chorus and CA CSM are not on the same machine, complete this procedure.

  1. Define the CA CSM connection application session key: 
    SETROPTS CLASSACT(PTKTDATA) RACLIST(PTKTDATA)
RDEFINE PTKTDATA applid SSIGNON(KEYMASKED(FEDCBA9876543210)) APPLDATA('NO REPLAY PROTECTION')
  2. Permit the CA CSM started task user ID to generate and evaluate PassTickets on behalf of CA CSM users: 
    SETROPTS GENERIC(PTKTDATA)
RDEFINE PTKTDATA IRRPTAUTH.applid.* CLASS(PTKTDATA) UACC(NONE)
PERMIT IRRPTAUTH.applid.* CLASS(PTKTDATA) ID(csm_stc_userid) ACCESS(READ,UPDATE)
    csm_stc_userid

    Specifies the CA CSM application server started task user ID. This ID must be able to generate PassTickets for any user.

    Default: MSMSERV

  3. Allow individual users to access CA CSM: 
    RDEFINE APPL applid UACC(NONE)
PERMIT applid CLASS(APPL) ID(csm_stc_userid) ACCESS(READ)
SETROPTS CLASSACT(APPL)
  4. Refresh the PTKTDATA class and activate the APPL class: 
    SETROPTS RACLIST(PTKTDATA) REFRESH
SETROPTS CLASSACT(APPL)

    PassTickets are configured on the CA CSM server side.

    To complete PassTicket setup, go to Update the CA CSM Startup Parameters.