Interfacing with External Security › PassTicket Configuration

PassTicket Configuration

The PassTicket configuration is required for the CA SYSVIEW for CA Insight DPM for DB2 component. This CA SYSVIEW component acquires data from CA Insight Database Performance Monitor for DB2 for z/OS (CA Insight DPM for DB2), by establishing connections to CA Insight DPM for DB2 on behalf of users who are requesting the information. Although this connection is transparent to the user of CA SYSVIEW for CA Insight DPM for DB2, the connection setup to CA Insight DPM for DB2 is analogous to a logon into that product and the user must be authenticated by that product before access is allowed. The authentication mechanism for this interface is a PassTicket.

A PassTicket is a temporary encoded and encrypted substitute for the user password that can be used to access a specific application.

Using PassTickets enables the z/OS components and products to provide the user ID authentication without saving z/OS passwords and sending them through the network. Instead, the users are authenticated once using their real password when they first log in to CA SYSVIEW. The following process occurs when the user selects a function that accesses a z/OS component or product that must also authenticate the user:

• The CA SYSVIEW component calls the z/OS security product to generate a PassTicket for the user verification.
• The PassTicket is sent with the user request to the component.
• The component calls the z/OS security product to authenticate the user using the PassTicket as a password substitute before processing the request.

PassTickets must be generated for CA SYSVIEW for CA Insight DPM for DB2 users to connect to the CA Insight DPM product. The connection is made through the CA DB2 Tools Xnet component. The Xnet component performs the user authentication before forwarding requests to CA Insight DPM.

Sample CA ACF2, CA Top Secret, and IBM RACF commands to generate PassTickets are provided as a guideline.

Note: Some of the sample commands refer to the variable xnet_applid. The PassTickets generated using this configuration can only be used for access to the application that identifies itself as xnet_applid during the user authentication process. The recommended xnet_applid is DB2TOOLS but the name is configurable (any uppercase string of eight characters or less is permitted). If a different value is used for the application ID, update the sample commands to use the same value.