When attempting to implement the DB2 V11 Admin Server, the following passticket error occurs when a DBA attempts to schedule a task using the Admin server. The following is in the violation report:

07/05/17 13:30:02 D01 DB2ACID DB1DADMT STC FAIL
RESOURCE TYPE & NAME : USSLOG R_TICKETSERV

DB2 documentation indicates that in DB2 V10, an internal passticket requirement was created.

How do you accomplish this in Top Secret?
Can the admin server be made to work without setting up a passticket?

The problem with the r_ticketserv RC 8 8 24 is in definition of the PSTKAPPL or SESSKEY.

There are no failures on the z/OS side of things. The IRRPAUTH security checks to determine if the user is authorized to use passtickets received a RC 0. This indicates the user is authorized to use passtickets.

Example:
TSS ADDTO(NDT) PSTKAPPL(application)
SESSKEY(abcdef12)

PSTKAPPL Keyword—Define an Application ID

PSTKAPPL
----------------
Use the PSTKAPPL keyword to define the application ID. Depending on the application, the secured signon function uses a specific method to determine the application ID:
• For CICS, IMS, or APPC applications, the application ID is defined using the standard naming conventions you use to define these applications in a VTAM APPL statement.
• For TSO, the application ID is defined by prefacing the SMF identifier of the system with the characters TSO. For example, TSOXE05, is the application ID for TSO on machine XE05. The SMF system ID can be found in SMFPRMxx member of SYS1.PARMLIB.
• For z/OS batch jobs that include TSS passwords in the JCL, you can replace the password with a PassTicket. The application ID for batch jobs is defined by prefacing the SMF identifier of the system with the characters z/OS. For example, OS/390 XE05 is the application ID for all batch jobs on machine XE05.

SESSKEY Keyword—Define or Display Session Keys

SESSKEY
--------------
A hexadecimal “password” that is unique to each application assigned as a PassTicket. A SESSKEY is required for each PassTicket. This is user defined.

Range: 1 to 16 bytes

So the application generating the passticket must be using the same SESSKEY that you specified in the NDT.

If either of these are incorrect the r_ticketserv will fail.

It is the responsibility of the application to document the application name that will be used for the PSTKAPPL. 

So, to recap, the SESSKEY and PSTKAPPL need to be verified that they are using the correct values. The SESSKEY is user defined. You must use the same key specified in the NDT with the application. The PSTKAPPL must be the program name using the passticket and should be documented in the DB2 applications manuals.

IBM gave the following RACF commands to define passtickets to RACFL
RDEFINE PTKTDATA IRRPTAUTH.!DSNADMT!.* UACC(NONE) RDEFINE PTKTDATA !DSNADMT! +
SSIGNON(KEYMASKED(CACD4AD6D79ECA71)) +
UACC(NONE) APPLDATA('NO REPLAY PROTECTION') PERMIT IRRPTAUTH.!DSNADMT!.* CL(PTKTDATA) +
ID(!STARTUID!) ACCESS(UPDATE)
PERMIT !DSNADMT! CL(PTKTDATA) +
ID(!STARTUID!) ACCESS(UPDATE)
SETROPTS RACLIST (PTKTDATA) REFRESH
SETROPTS RACLIST (FACILITY) REFRESH
SETROPTS REFRESH GENERIC(*) RACLIST(PTKTDATA)
//*

Based on the above example 'DSNADMT' is the program name we need.

TSS ADDTO(NDT) PSTKAPPL(DSNADMT)
SESSKEY(abcdef12) SIGNMULTI

The following line defined the encryption key:

SSIGNON(KEYMASKED(CACD4AD6D79ECA71))

which is user defined.

Please make you add your user defined encryption key on the following command:

TSS ADDTO(NDT) PSTKAPPL(DSNADMT)
SESSKEY(abcdef12) SIGNMULTI

The following line defined the encryption key:

SSIGNON(KEYMASKED(CACD4AD6D79ECA71))

which is user defined.

Please make you add your user defined encryption key on the following command:

TSS ADDTO(NDT) PSTKAPPL(DSNADMT)
SESSKEY(your_encryption_key) SIGNMULTI

Please make sure the application is using the same encryption key when generating the passticket. Otherwise the passticket validation will fail.

The following PERMITs are also needed:

TSS PER(DB2ACID) PTKTDATA(IRRPTAUTH) ACCESS(UPDATE)
TSS PER(DB2ACID) IBMFAC(IRR.RTICKETSERV) ACCESS(UPDATE)
TSS PER(DB2ACID) IBMFAC(BPX.SERVER) ACCESS(UPDATE)