Can I Use Passtickets With The FTP Application?

Products

Cleanup Datacom DATACOM - AD CIS COMMON SERVICES FOR Z/OS 90S SERVICES DATABASE MANAGEMENT SOLUTIONS FOR DB2 FOR Z/OS COMMON PRODUCT SERVICES COMPONENT Common Services CA ECOMETER SERVER COMPONENT FOC Easytrieve Report Generator for Common Services INFOCAI MAINTENANCE IPC UNICENTER JCLCHECK COMMON COMPONENT Mainframe VM Product Manager CHORUS SOFTWARE MANAGER CA ON DEMAND PORTAL CA Service Desk Manager - Unified Self Service PAM CLIENT FOR LINUX ON MAINFRAME MAINFRAME CONNECTOR FOR LINUX ON MAINFRAME GRAPHICAL MANAGEMENT INTERFACE WEB ADMINISTRATOR FOR TOP SECRET Xpertware Top Secret Top Secret - LDAP Top Secret - VSE

Issue/Introduction

Description:

To secure FTP and connection, the standard is to use SSL and Digital Certificates.

But under specific circumstances, you may want to secure your FTP connection other alternatives besides user/password and SSL.

Solution:

Before securing FTP with passtickets, we must understand how passtickets work.

What is a Passticket?

It's an alternative to the mainframe password that permits workstations and client machines to communicate with the host. It allows a user to gain access to the host system without sending the mainframe password across the network.

PassTickets are cryptographically-generated, single-use, short-lifespan password substitutes. They are inherently more secure than passwords.

The Passticket is valid for a period of plus or minus 10 minutes (as measured on the GMT clock of the "central" system). It cannot be replayed. It is always a 8-character string (for example 6MP534fG could be the value of a Passticket).

Passtickets in CA Top Secret can be used with FTP and here are the steps required:

Access to the FTP site must be done through an application that will request a passticket and pass it at connection time. A sample application is attached to this document.
The application name and session key must be defined to the CA Top Secret NDT.

Example:APPLICATION = OMVSAPPL SESSION KEY = 123456789ABCDEF0

tss add(ndt) pstkappl(omvsappl) sesskey(123456789ABCDEF0)

To remove it:

tss rem(ndt) pstkappl(omvsappl)
By default, the default application name is passed on parameter 'APPL=' of the:

RACROUTE REQUEST=VERIFY,ENVIR=CREATE

by FTP to CA Top Secret at connection.

It has the following format:

FTPDx where 'x' can be '1' '2' etc...

Modify the FTP STC in order to have the application name, you have chosen to be passed by FTP with the 'APPL=' parameter. See sample as follows:
```
     //FTPD1    PROC PARMS='ENVAR("_BPX_JOBNAME=OMVSAPPL")'     //FTPD     EXEC PGM=FTPD,REGION=0M,TIME=NOLIMIT,         //         PARM='&PARMS/POSIX(ON) ALL31(ON)'
```

An alternative to step 3 is to use the CA Top Secret Installation Exit TSSINSTX PRE-INIT entry to change the application name in the RACROUTE parameter list. Please see the following example:

     PREINIT  DS    0H                                                             ICM   R3,15,TXA#@RFP           @@PLIST                               BZ    EXIT0                                                          ICM   R3,15,0(R3)              @PLIST                                BZ    EXIT0                                                          ICM   R3,15,48(R3)             @APPL Get application address         BZ    EXIT0                                                          CLC   0(4,R3),=C'FTPD'         Application starts with FTPD          BNE   EXIT0                                                          MVC   0(8,R3),=C'OMVSAPPL'                                           B     EXIT0

Note 1:
All samples given have been ONLY tested in test environments.

Note 2:
All sample given are for information purposes and CANNOT be considered as a CA extended product feature. Creation, maintenance and troubleshooting are the sole responsibility of the user.

Please see the CA Top Secret User Guide for more details about CA Top Secret Installation Exit 'TSSINSTX'.

Environment

Release:
Component: AWAGNT

Attachments

1558535625922TEC481822.zip get_app