Set up TPX to work with Pass Tickets in Top Secret Security (TSS)
search cancel

Set up TPX to work with Pass Tickets in Top Secret Security (TSS)

book

Article ID: 31081

calendar_today

Updated On:

Products

TPX - Session Management Top Secret

Issue/Introduction

TPX provides support for Secured Signon using Pass Tickets.  The use of Pass Tickets eliminates the transmission of passwords across network facilities in clear text. 

A pass ticket is a one-time only password substitute that is automatically generated by an authentication server, such as CA's Single Signon Option or IBM's Network Security Program or on behalf of a client workstation requesting access to a mainframe application, such as TPX.

Once a user is signed on to TPX, Pass Tickets may also be generated for applications subsequently accessed through TPX. 

NOTE 1:  This document is specific to Top Secret.  For instructions specific to ACF2 or RACF, please refer to the links at the end of this document.

NOTE 2:  IF PTF LU08678 (enhancement) is applied and active, regardless of whether it is a legacy pass ticket  or enhanced pass ticket; TPX
                PTF LU03420 (Enhancement) must be applied and active as well.

Environment

  • TPX® Session Management for z/OS 5.4
  • Top Secret® for z/OS 16.0

Resolution

The implementation of Pass Ticket (PTKT) support requires customization within both TPX and the security system.

Customize Top Secret for Pass Tickets

For Top Secret, you must have the required NDT rules in place.  
Refer to Top Secret User Guide and the Top Secret Cookbook.

1.TSS ADDTO(NDT) PSTKAPPL(applname) SESSKEY(................) SIGNMULTI  
2.TSS ADD(dept) PTKTDATA(IRRPTAUT)
   The Resource Class has a maximum Ownership of 8 characters.

3.The Resource can be permitted as one of the following, where 'applname' is the
   Application Name defined in the NDT and 'userid' is the Userid:

PTKTDATA(IRRPTAUTH.)
PTKTDATA(IRRPTAUTH.applname.)
PTKTDATA(IRRPTAUTH.applname.userid)

4. And finally, authority to generate pass tickets:
   
TSS PER(serveracid) PTKTDATA(IRRPTAUTH.applname.acidname) ACCESS(UPDATE)

Authorize Applications to Generate or Evaluate PassTickets

Applications can invoke the R_ticketserv or R_GenSec callable service to generate or evaluate a PassTicket on behalf of an authorized user.

If running 64-bit addressing mode (AMODE 64), you must use R_GenSec. R_ticketserv does not support AMODE 64. 
For complete information about R_GenSec and R_ticketserv, see the IBM z/OS Security Server RACF Callable Services documentation.

The PTKTDATA resource class authorizes the use of each callable service. 
The following table describes the required resource and access for generating and evaluating PassTickets:

Operation                      Resource Name                         Access Required
Generate PassTicket    IRRPTAUTH.application.target_ userid    UPDATE
Evaluate PassTicket     IRRPTAUTH.application.target_ userid    READ

Invoking R_ticketserv/R_GenSec triggers a security call for PTKTDATA(IRRPTAUTH.application.target_userid) to ensure the caller is authorized to evaluate/generate a PassTicket. 

If the calling ACID (typically the region ACID) is authorized, the PassTicket operation can occur. 
If the PTKTDATA class is not active, or the required resources are not defined, the PassTicket request fails. 

How to Authorize applications to generate or evaluate PassTickets.

1. Define the PTKTDATA  resource to the Resource Descriptor Table (RDT).
    TSS ADD(RDT) RESCLASS(PTKTDATA)
                 ACLST(ALL,UPDATE=8000,READ)
                 MAXLEN(37)
    A PTKTDATA resource definition now exists in the RDT.

2. Grant ownership of the IRRPTAUT resource:
    TSS ADD(owning_acid) PTKTDATA(IRRPTAUT)
   IRRPTAUT is now owned.

3. Give a target user the permission to have a PassTicket generated/evaluated through an application:
    TSS PER(acid) PTKTDATA(IRRPTAUTH.application.target_userid)
                  ACCESS(READ,UPDATE)

application   --- Specifies the application.
target_userid --- Specifies the user who receives the permission.
A permit is added.

4.   If control option PTKRESCK(YES) is set, grant additional permissions as follows:
    TSS ADD(owning_acid) PTKTDATA(PTKTGEN.)
    TSS PER(userid) PTKTDATA(PTKTGEN.application.target-userid)
                    ACCESS(UPDATE)

 < See -  Authorize Applications to Generate or Evaluate PassTickets  STEP :4. for additional details on PTKRESCK >

Top Secret customization for applications to generate or evaluate PassTickets complete.

Within TPX, there are two separate aspects of Pass Ticket support: Users and Applications.  
You can implement one or the other or both depending upon your site requirements.

You can specify pass ticket and/or qualified pass ticket for users and applications.  
When both are specified, CA TPX attempts to use the most secure form of pass ticket available
as defined in the external security system.


A.  TPX customization to activate Pass Ticket.

  1. Set User Option ' Pass Ticket User: Y ' either in first profile assigned to a user or directly at user maintenance level
  2. To use qualified pass tickets, set ' Qualified PTick User : Y ' either in first profile assigned to a user or directly in user level.

This parameter does not impact the actual sign on to TPX.  
TPX accepts the userid and password then makes a security call for validation.  
TPX is unaware of whether the passcode field contains a password or pass ticket at this point.
It is only after the user is signed on to TPX where this parameter becomes important, and these are outlined in the field level help:

  • If the user is passed to another TPX by the Affinity feature, a pass ticket is generated for the TPX that the user is passed to.
  • If a signoff command (/F) occurs, it is converted to a logoff.  This includes those produced by a timeout.
  • Timeouts that would lock the terminal are converted to logoffs.
  • The user must supply a lock word when locking the terminal.


B. TPX applications sign-on with a Pass Ticket

Session Options requirements

Set ' Generate Pass Ticket: Y ' in the ACT (Application Characteristics Table), or Profile Session Options, or User Session Options.
To use qualified pass tickets, set ' Gen Qualified Pass Ticket: Y ' in the ACT, or Profile Session Options, or User Session Options.
Set 'Pass Ticket Prof name', if required, in the ACT.  (Parameter is not available at profile or user level.) 

The 'Pass Ticket Prof name' will be supplied to the external security system instead of userid during Pass Ticket generation.

When 'Pass Ticket Prof name' is NOT specified (field left blank), TPX issues the pass ticket request with the USERID & APPLID.
When 'Pass Ticket Prof name' is specified, TPX issues the pass ticket request with the USERID & Prof name.

NOTE : To use pass ticket in TPX, the 'application' must be defined in CA TPX Application Charateristic table (ACT).
             In order to trigger a pass ticket session for a selected application, a startup TPX ACL is required to ensure secured signon. 

To verify whether or not your application requires a 'Pass Ticket Prof name' to be defined run the TSS SECTRACE.

For Top Secret (TSS)

Run a SECTRACE against the TPX address space (using TPX jobname) to verify the generation of a pass ticket in TSS.
Repeat the test with a second SECTRACE against the application to verify what is the entity/element  the application is sending to TSS for validation.  
If it is not the VTAM APPLID, define this entity/element in the TPX ACT 'Pass Ticket Prof name' field to request pass ticket for this value instead of the actual APPLID.  

It is important to not run each SECTRACE at the same time so that the trace data remains specific to either TPX or the application.
Also ensure the entity/element identified in the trace on the application (the one that you are specifying in 'Pass Ticket Prof name') is defined within TSS PTKTDATA. 

To verify if the profile name has been set up for pass tickets:
           TSS LIST(profile_name) DATA(ALL)

'Pass Ticket Prof name'  required for TSO and VM systems, will have a value ;

  • TSO - TSOsmfid
  • VM – Vmcpuid

Other applications requiring Pass Ticket prof name, as provided to us by TPX customers:  (Please verify for your environment.)
MVSxxxx system default

    • CA7
    • CADISP 
    • NETVIEW 
    • EXIGENCE 
    • IMPLEX 
    • TMONDB2       APPLID of application
      ABENDAID      SESSIONID >>> Note that this was not the APPLID but rather the SESSIONID defined in TPX.

There may be additional applications where this entity/element is required and can be determined in conjunction with the application vendor and your security administrator.


 Additional TPX Setup Requirements:

  1. SMRT Optional Parameters: Set both of these to Y:
    • SMRT Option 030 - This option will cause users defined as Pass Ticket Users to return to the CA TPX logo if a signoff command is entered or generated.  Pass Ticket users normally would not see the CA TPX logo because all signoffs are normally converted to logoffs.  If a user returns to the CA TPX logo then subsequently signs on with their real password, the signon will not be secured using the Pass Ticket technique.
    • SMRT Option 031 - This option will display "Pass Ticket" on the CA TPX menu in the location where "Check Messages" might appear (the W3 variable), if a user is defined as a Pass Ticket User.  The "Check Messages"indication temporarily overrides the "Pass Ticket" indication.  This option will cause the letters "PTIX" or the words "Pass Ticket" to appear on the menu in the "Status" column, for any application defined as a "Pass Ticket Application".  These are the UENTWSTS and UENTWSTL variables, respectively.  Other status indicator will temporarily override the Pass Ticket indication.
  2. SMRT Reserved (RsvOpt) Options:
     
    Access the SMRT Reserved Options by entering command “OPTIONS” on the SMRT Optional Parameters panel (13), then scroll down to set these options:
  • RsvOpt 041 -  When using pass ticket instead of password/phrase to access applications, set RsvOpt 41 to Y to ensure the user-id has been validated through the external security manager (Top Secret/ACF2/RACF) to gain access to TPX.  This will handle the case where certain user-ids are set to SECURITY=NONE and should not have a pass ticket generated for them to access an application.
  • RsvOpt 042 - (Optional)  Set RsvOpt 042 to Y if you need pass ticket generation messages in the TPX log for audit or other site requirements (TPXL0920, TPXL0921TPXL0922, TPXL0923).  These messages are useful during implementation and testing of pass tickets.

To ensure that all changes have been implemented, it is recommended to re-cycle TPX.
If you are familiar with the reload command that may also be used to implement each change. 

Additional Information

  • When using pass tickets with GRS (generic resource), it is crucial that the system clock on each LPAR is in sync.
    A PassTicket is considered to be within the valid time range when the time of generation, with respect to the clock on the generating computer, is within plus or minus 10 minutes of the time of evaluation, with respect to the clock on the evaluating computer.
  • For additional information, please refer to the CA TPX Programming Guide - Special Features and Customization Tasks, section Pass Ticket Feature.
    Please note the section: Operational Difference for Pass Ticket Users.
  • Top Secret User Guide and the Top Secret Cookbook.  
    The most current version of the TSS documentation is available from the CA Top Secret for z/OS
  • How to set up TPX to work with Pass Tickets in ACF2
  • How to set up TPX to work with Pass Tickets in RACF