Why is it necessary to add the user's TSO ID to the ACF2 PTKTGEN IRRPTAUTH definition for the XNET APPL(DB2TOOLS)
search cancel

Why is it necessary to add the user's TSO ID to the ACF2 PTKTGEN IRRPTAUTH definition for the XNET APPL(DB2TOOLS)

book

Article ID: 206908

calendar_today

Updated On:

Products

Database Management for DB2 for z/OS - Administration Suite Database Management for DB2 for z/OS - Performance Suite Database Management for DB2 for z/OS - Recovery Suite Database Management for DB2 for z/OS - SQL Performance Suite Database Management for DB2 for z/OS - Utilities Suite DATABASE MANAGEMENT SOLUTIONS FOR DB2 FOR Z/OS

Issue/Introduction

Following both the XNET and SYSVIEW -MVS documentation concerning passticket setup to facilitate the interface between
SYSVIEW -MVS and SYSVIEW PMO for Db2 for z/OS (IDB2) to obtain DB2 metrics in SYSVIEW -MVS monitor(Option 6),
there was no mention of needing to define each user's TSO ID to the PTKTGEN IRRPTAUTH definition for the DB2TOOLS APPL. 
However, the interface did not work until the end-user's TSO ID was defined to the PTKTGEN IRRPTAUTH definition for the DB2TOOLS APPL.

Cause

The PTKTGEN.applid.userid resource is a  resource validation check to verify that a user has the appropriate authority to generate
a PassTicket for a specific user and application. The validation check is optional and is controlled by the ACF2 GSO OPTS PTKRESCK|NOPTKRESCK parameter:

PTKRESCK|NOPTKRESCK
Specifies whether to make a FASTAUTH resource validation check to verify that a user has the appropriate authority to generate a PassTicket for a specific user and application.
This FASTAUTH call is made with the CLASS=PTKTDATA, ATTR=UPDATE, and ENTITYX=’PTKTGEN.applid.userid’ parameters (where applid is the application ID associated with this PassTicket
and the userid is the ID of the user for which the PassTicket is being generated). This security call is issued regardless of any other PassTicket security calls.
The default is NOPTKRESCK.


Note: Be sure to define the appropriate resource rules to allow PassTicket generation when turning this option on.
Resource rules associated with the PTKTDATA class must be globally resident in the ACF2 GSO RESDIR or INFODIR record. The default CLASMAP entry maps
the PTKTDATA class to resource type PTK. If you have an overriding CLASMAP entry, adjust the resource type. The following sample administrative commands are based on resource type PTK:

ACF
 SET CONTROL(GSO)
 CHANGE INFODIR TYPES(R-RPTK) ADD
ACF
 SET R(PTK)
 COMPILE
 $KEY(PTKTGEN) TYPE(PTK)
 applid.userid UID(*) ALLOW
F ACF2,REFRESH(INFODIR)
F ACF2,REBUILD(PTK)

Resolution

It was necessary to perform the additional PTKTGEN IRRPTAUTH definition for the user's TSO ID for the optional Validation check was turned on.

The following instructions will be sufficient in ACF2 when the option Validation check is not active:

ACF2 rules for passticket setup for Sysview -mvs (DB2 option) via XNET

SET PROFILE(PTKTDATA) DIVISION(SSIGNON) INSERT DB2TOOLS SSKEY(<session_key>) MULT-USE F ACF2,REBUILD(PTK),CLASS(P)

SET RESOURCE(PTK)                                        
RECKEY IRRPTAUTH ADD(DB2TOOLS.- UID(<xnet stc id>) -
 SERVICE(UPDATE,READ) ALLOW)                             
F ACF2,REBUILD(PTK)  

SET RESOURCE(PTK)                                        
RECKEY IRRPTAUTH ADD(DB2TOOLS.- UID(<sysview stc id>) -
 SERVICE(UPDATE,READ) ALLOW)                             
F ACF2,REBUILD(PTK)      

And then for every user of SYSVIEW -MVS trying to get DB2 Metrics via option 6 (Db2 option)

SET RESOURCE(PTK)                                               
RECKEY IRRPTAUTH ADD(DB2TOOLS.tsoID UID(<uidstring>) -
  SERVICE(UPDATE,READ) ALLOW)                                   
F ACF2,REBUILD(PTK)

Powered by Wolken Software