Define SSIGNON SSKEY for PTKTDATA in ACF2
search cancel

Define SSIGNON SSKEY for PTKTDATA in ACF2

book

Article ID: 260559

calendar_today

Updated On:

Products

ACF2

Issue/Introduction

Implementing passticket for an external DB2 application. The application to generate a usable passticket is requesting the 16-byte hex key used to create this entry:

SSIGNON / D02G LAST CHANGED BY xxxxxx ON 07/02/14-09:36
                     NOENCRYPT MULT-USE SSKEY(*SUPPRESSED*)

By design, it's not retrievable. What are the implications of re-defining the above entry with a new SSKEY? Is recycle of the application required?

Some systems have passticket entries with no SSKEY defined: 

SSIGNON / DB2UAT LAST CHANGED BY xxxxxx ON 06/14/17-14:51
                     NOENCRYPT MULT-USE

SSIGNON / DB3PDIST LAST CHANGED BY xxxxxx ON 11/08/17-14:41
                     NOENCRYPT MULT-USE

What are the possible implications of adding an SSKEY to those entries?

 

 

Environment

Release : 16.0

Resolution

The SSKEY is required for Legacy PassTickets PTKTDATA Profile Records. When a logonid with only ACF2 AUDIT privilege lists Legacy PassTickets PTKTDATA Profile Records the SSKEY(*SUPPRESSED*) will not be displayed:

Logonid with Only ACF2 AUDIT privilege:
ACF
SET PROFILE(PTKTDATA) DIVISION(SSIGNON)
LIST TSOSYS5
SSIGNON / TSOSYS5 LAST CHANGED BY USER001 ON 09/20/21-08:40   
                     NOENCRYPT MULT-USE        

Logonid with ACF2 SECURITY privilege:            
ACF
SET PROFILE(PTKTDATA) DIVISION(SSIGNON)
LIST TSOSYS5  
 SSIGNON / TSOSYS5 LAST CHANGED BY USER001 ON 09/20/21-08:40
                      NOENCRYPT MULT-USE SSKEY(*SUPPRESSED*)

The only implication of changing the sskey is to ensure that all applications that are requesting the passticket are using the same sskey.

If there are multiple z/OS LPARs sharing the databases, there should be no problem.
If there are multiple z/OS LPARs that are not sharing the databases, but have their own version of the passticket record, they will also need to be changed. 
If passticket is obtained off platform and not using the ACF2 SSIGNON profile records, then that process will also need to know the new sskey.

There is no need to restart the z/OS applications that need the profile records as each call will issue an extract request and will obtain the latest sskey.

NOTE: ACF2 does not now allow a Legacy PassTickets PTKTDATA Profile Record to be created without an SSKEY.

Powered by Wolken Software