SCS Address Space Administration › SCS Address Space Security Setup › Pass Tickets › IBM RACF PassTicket Examples › Example: Configure PassTickets for CA CSM Application Server

Example: Configure PassTickets for CA CSM Application Server

You can use IBM RACF to configure PassTickets on the system where the CA CSM application server is executing.

Follow these steps:

1. Activate the PassTicket class:

   SETROPTS CLASSACT(PTKTDATA) 
   SETROPTS RACLIST(PTKTDATA) 
   SETROPTS GENERIC(PTKTDATA)
   

2. Define a profile for the application and specify the session key:

   RDEFINE PTKTDATA MSMCAPPL SSIGNON(KEYMASKED(0123456789ABCDEF)) UACC(NONE)
   

   MSMCAPPL

   Defines the session key for the SCS address space ID used during CA CSM Configuration processing. This name may have been overridden when you installed CA CSM, so it should reflect the real application name.

   Note: This example demonstrates a complete session key value of 16 hex digits (creating an 8-byte or 64-bit key). Change your key so that it consists of 16 random hex digits, and is different from the values in this example. Each application key must be the same on all systems in the configuration, and the values must be kept secret and secured.

3. Define a profile and permit access to the MSMCAPPL PassTicket session key value for the Started Task user ID so that it can access the SCS address space:

   RDEFINE PTKTDATA IRRPTAUTH.MSMCAPPL.stc-userid UACC(NONE) 
   

   stc-userid

   Specifies the user ID associated with the CA CSM application server started task. This user ID only needs the ability to generate a PassTicket for itself.

4. Permit access to the MSMCAPPL PassTicket session key value for the CA CSM application server:

   PERMIT IRRPTAUTH.MSMCAPPL.stc-userid CLASS(PTKTDATA) ID(stc-userid) ACCESS(READ,UPDATE)
   

5. Refresh the PTKTDATA class:

   SETROPTS RACLIST(PTKTDATA) REFRESH