Multiple simoulteneous CICS sessions do not start in a TPX / RACF environment, using a PASSTICKET
Article ID: 186845
Updated On:
Products
TPX - Session Management
Vman Session Management for z/OS
Issue/Introduction
A CICS session (CICE-VTAM APPLID) has multiple sessions that are required to be started at the same time, in a Passticket environment.
Session name APPLID
CICE CICE
CICE-ATL CICE
CICE-GUL CICE
CICE-MID CICE
These sessions are all pointing to the same applid, CICE, which is in the ACT and defined as a PASSTICKET application.
Activating them one at a time works, however, when starting all four at once the first session of the four activates, but the remaining 3 will not get activated normally.
Why is the behavior different when all are select, compared to when selected individually.
Environment
Release : 5.4
Component : CA-TPX for Z/OS
Resolution
By default Pass Ticket replay protection is active in RACF.
RACF does not allow the same passticket to be used more than once within a 10 minute time period.
The option to bypass Pass Ticket replay protection allows the plus-or-minus-10-minute Pass Ticket
replay protection to be bypassed for selected applications or combinations of selected applications,
users, or groups.
Update RACF PTKTDATA profile for APPLDATA field by ADDing text string 'NO REPLAY PROTECTION'.
APPLDATA(‘NO REPLAY PROTECTION’)
Allows reuse of the same PassTicket multiple times, in the allowed plus or minus 10 minutes.
Sample:
SETROPTS CLASSACT(PTKTDATA) RACLIST(PTKTDATA)
RDEFINE PTKTDATA applid SSIGNON(KEYMASKED(0123456789ABCDEF)) APPLDATA('NO REPLAY PROTECTION') UACC(NONE)
SETROPTS RACLIST(PTKTDATA) REFRESH
RACF does not allow the same passticket to be used more than once within a 10 minute time period.
The option to bypass Pass Ticket replay protection allows the plus-or-minus-10-minute Pass Ticket
replay protection to be bypassed for selected applications or combinations of selected applications,
users, or groups.
Update RACF PTKTDATA profile for APPLDATA field by ADDing text string 'NO REPLAY PROTECTION'.
APPLDATA(‘NO REPLAY PROTECTION’)
Allows reuse of the same PassTicket multiple times, in the allowed plus or minus 10 minutes.
Sample:
SETROPTS CLASSACT(PTKTDATA) RACLIST(PTKTDATA)
RDEFINE PTKTDATA applid SSIGNON(KEYMASKED(0123456789ABCDEF)) APPLDATA('NO REPLAY PROTECTION') UACC(NONE)
SETROPTS RACLIST(PTKTDATA) REFRESH
Additional Information
You may use the option to bypass PassTicket replay protection when the threat of PassTicket replay is not a security concern, such as in the following cases:
- Multiple end-users who share the same user ID
- Trusted registry domains that exchange PassTickets as a method of establishing trust
- Applications that request PassTickets for a particular USERID/APPLID combination more than once during a one-second time interval.
- Multiple end-users who share the same user ID
- Trusted registry domains that exchange PassTickets as a method of establishing trust
- Applications that request PassTickets for a particular USERID/APPLID combination more than once during a one-second time interval.
Feedback
Yes
No
Powered by
