Use IBM RACF to Configure PassTickets for Database Connections

Addressing Security Requirements › Configure PassTickets to Connect to CA Datacom/AD or DB2 › PassTicket Configuration to Connect to CA Datacom/AD › Use IBM RACF to Configure PassTickets for Database Connections

Use IBM RACF to Configure PassTickets for Database Connections

This example shows how to use IBM RACF to configure PassTickets for connecting to DB2 or CA Datacom/AD to read information from the CIA and CA Compliance Manager databases. An experienced security administrator must perform this procedure.

Note: Before you begin this procedure, verify that the PTKTDATA class and ownership for the PassTicket resource (IRRPTAUTH) have not been defined.

Follow these steps:

Activate the PassTicket class by entering the following command:

SETROPTS CLASSACT(PTKTDATA) RACLIST(PTKTDATA)
SETROPTS GENERIC(PTKTDATA)

Define profiles for the application in the PTKTDATA class for the application and specify the session keys:
```
RDEFINE PTKTDATA applid SSIGNON(KEYMASKED(FEDCBA9876543210)) APPLDATA('NO REPLAY PROTECTION')
```
applid

Defines the application ID used for PassTicket validation to authenticate connections to the server.
- For DB2, use the DB2 command -DISPLAY DDF to determine the appropriate value to use for the PassTicket application name.
  If GENERICLU is not defined, replace applid with the second part of the LUNAME.
  
  If GENERICLU is defined, use the second part of GENERICLU.
  
  If neither LUNAME or GENERICLU are defined, use the value of the IPNAME.
  
  Sample output from the -DISPLAY DDF command follows:
  
  LOCATION LUNAME GENERICLU
  
  DA0GPTIB example.text1 example.text2
  
  TCPPORT=5122 SECPORT=5193 RESPORT=5124 IPNAME=-NONE
  
  In the sample output, text1 and text2 represent the LUNAME and GENERICLU name, respectively.
  
  Note: When issuing a DB2 command from the z/OS console, replace the hyphen (-) with the specific command prefix for the DB2 region.
- For CA Datacom/AD, specify the MUF name.
KEYMASKED

Defines an encryption key for the application using values that are different from the values in the sample syntax.

Note: The sample syntax demonstrates a complete key value of 16 hexadecimal digits (creating an 8-byte or 64-bit key). Each application key must be the same on all systems in the configuration and the values must be kept "secret."

APPLDATA(‘NO REPLAY PROTECTION’)

Use the same PassTicket multiple times.

The CA Chorus session keys are defined.

Note: This example demonstrates a complete key SESSKEY value of 16 hexadecimal digits (creating an 8-byte or 64-bit key). Keys consist of 16 random hexadecimal digits. Each application key must be the same on all systems in the configuration and the values must be kept "secret." Select different values from the ones shown in the examples.
Define profiles for PassTicket generation:
1. Permit access to the applid PassTicket session key value for each user that is permitted to access the application.
```
RDEFINE PTKTDATA IRRPTAUTH.applid.* UACC(NONE)
PERMIT IRRPTAUTH.applid.* ID(stc-userid) ACCESS(UPDATE) CLASS(PTKTDATA)
```
  stc-userid
  
  Specifies the started task user ID created in ETJI095R in your_chorus_hlq.CETJJCL. This ID must be able to generate PassTickets for any user. The default is CHORADM.
2. Alternatively, you can create a group. For example:
```
ADDGROUP ETJDB2GR
CONNECT CHORUSR1 GROUP(ETJDB2GR)
CONNECT CHORUSR2 GROUP(ETJDB2GR)
...
CONNECT CHORUSRN GROUP(ETJDB2GR)
RDEFINE PTKTDATA IRRPTAUTH.applid.ETJDB2GR OWNER(installer-userid) UACC(NONE)
PERMIT  IRRPTAUTH.applid.ETJDB2GR ID(stc-user) AC(UPDATE) CLASS(PTKTDATA)
```
  In this example, ETJDB2GR defines the group for the CA Chorus Security and Compliance Discipline users; CHORUSRx defines the specific users to the group; the RDEFINE command defines the resource to enable PassTicket generation for the group members; the PERMIT command enables the CA Chorus Application Server user to generate PassTickets to the application for group members.
Refresh the PTKTDATA class:
```
SETROPTS RACLIST(PTKTDATA) REFRESH
```