Both authorized and unauthorized applications can invoke the PassTicket subfunction of the R_ticketserv or R_GenSec callable service to generate or evaluate a PassTicket.
Use of the R_ticketserv or R_GenSec callable service is authorized by resources in the PTKTDATA class. These resources are based on the application ID and target userid in the PassTicket function.
The following table describes the access required.
|
Operation |
Resource Name |
Access Required |
|
Generate PassTicket |
IRRPTAUTH.application.target-userid |
UPDATE |
|
Evaluate PassTicket |
IRRPTAUTH.application.target-userid |
READ |
If the PTKTDATA class is not active or the resource rules are not defined, any PassTicket request made through the callable services fails.
All callers regardless of the PSW key or state must pass the authorization check.
To establish authority
TSS ADD(RDT) RESCLASS(PTKTDATA)
ACLST(ALL,READ,UPDATE)
MAXLEN(37)
The PTKTDATA resource is added to the RDT.
TSS ADD(tssdept) PTKTDATA(IRRPTAUT)
IRRPTAUT is owned.
TSS PER(tsscomp1) PTKTDATA(IRRPTAUTH.aaaaaaaa.uuuuuuuu) ACCESS(READ,UPDATE)
Specifies the application.
Specifies the user.
A permit is added to the component.
the RACF command to establish a profile is :
RDEFINE PTKTDATA profile-name SSIGNON(KEYMASKED(blah)) UACC(NONE)
The CA Top Secret equivalent of this command is:
TSS ADD(NDT) PSTKAPPL(applid) SESSKEY(xxxx) SIGNMULTI
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|