ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Multiple simoulteneous CICS sessions do not start in a TPX / RACF environment, using a PASSTICKET

book

Article ID: 186845

calendar_today

Updated On:

Products

TPX - Session Management TPX- PACKAGE Vman Session Management for z/OS TPX SESSION MANAGEMENT

Issue/Introduction

A CICS session (CICE-VTAM APPLID)  has multiple sessions that are required to be started at the same time, in a Passticket environment.

Session name       APPLID

CICE                       CICE
CICE-ATL                CICE
CICE-GUL               CICE
CICE-MID               CICE

These sessions are all pointing to the same applid, CICE, which is in the ACT and defined as a PASSTICKET application.
Activating them one at a time works, however, when starting all four at once the first session of the four activates, but the remaining 3 will not get activated normally.
Why is the behavior different when all are select, compared to when selected individually. 

 

Environment

Release : 5.4
Component : CA-TPX for Z/OS

Resolution

By default Pass Ticket replay protection is active in RACF.
RACF does not allow the same passticket to be used more than once within a 10 minute time period.

The option to bypass Pass Ticket replay protection allows the plus-or-minus-10-minute Pass Ticket
replay protection to be bypassed for selected applications or combinations of selected applications,
users, or groups.

Update RACF PTKTDATA profile for APPLDATA field by ADDing text string 'NO REPLAY PROTECTION'.

APPLDATA(‘NO REPLAY PROTECTION’)
Allows reuse of the same PassTicket multiple times, in the allowed plus or minus 10 minutes.

Sample:
SETROPTS CLASSACT(PTKTDATA) RACLIST(PTKTDATA)
RDEFINE PTKTDATA applid SSIGNON(KEYMASKED(0123456789ABCDEF)) APPLDATA('NO REPLAY PROTECTION') UACC(NONE)

SETROPTS RACLIST(PTKTDATA) REFRESH

Additional Information

You may use the option to bypass PassTicket replay protection when the threat of PassTicket replay is not a security concern, such as in the following cases:

    - Multiple end-users who share the same user ID
    - Trusted registry domains that exchange PassTickets as a method of establishing trust
    - Applications that request PassTickets for a particular USERID/APPLID combination more than once during a one-second time interval.