TPX provides support for Secured Signon using Pass Tickets.  The use of Pass Tickets eliminates the transmission of passwords across network facilities in clear text. 

A pass ticket is a one-time only password substitute that is automatically generated by an authentication server, such as
CA's Single Signon Option or IBM's Network Security Program or on behalf of a client workstation requesting access to a mainframe application, such as TPX.

Once a user is signed on to TPX, Pass Tickets may also be generated for down stream applications subsequently accessed through TPX. 

NOTE:  This document is specific to RACF.  For instructions specific to ACF2 or Top Secret, please refer to the links at the end of this document.

Release: 5.4
Component: TPX for Z/OS

The implementation of Pass Ticket support requires customization within both TPX and the ESM. (ACF2 / TSS / RACF)

Within TPX, there are two separate aspects of Pass Ticket support:
Users and / or Applications.  One can implement either or both depending upon your site requirements. 

One can specify pass ticket and/or qualified pass ticket for users and applications.  
When both are specified, CA TPX attempts to use the most secure form of pass ticket available based on the settings in
TPX and the Pass Ticket Profile, if any, as defined in the external security system.

A.  Logon to TPX with a Pass Ticket 

1. Set User Option ' Pass Ticket User: Y ' either in first profile assigned to a user or directly in user level maintenance panel.
2. To use qualified pass tickets, set ' Qualified PTick User : Y ' either in first profile assigned to a user or directly in user level.

This parameter does not impact the actual sign on to TPX.  TPX accepts the userid and password then makes a security call for validation.  
TPX is unaware of whether the password field contains a password or pass ticket at this point.

It is only after the user is signed on to TPX where this parameter becomes important, and these are outlined in the field level help:

• If the user is passed to another TPX by the Affinity feature, a pass ticket is generated for the TPX that the user is passed to.
• If a signoff command (/F) occurs, it is converted to a logoff.  This includes those produced by a timeout.
• Timeouts that would lock the terminal are converted to logoffs.
• The user must supply a lock word when locking the terminal   

B. Logon to applications with a Pass Ticket 

1. The application must be defined in TPX with session data that contains &PSWD or a startup ACL that keys in &PSWD to ensure secured signon using Pass Ticket.
2. Session Options requirements
   
   1. Set ' Generate Pass Ticket: Y ' in the ACT (Application Characteristics Table), or Profile Session Options, or User Session Options.
   2. To use qualified pass tickets, set ' Gen Qualified Pass Ticket: Y ' in the ACT, or Profile Session Options, or User Session Options.
   3. Set 'Pass Ticket Prof name', if required, in the ACT.  (Parameter is not available at profile or user level.) 
      
      • This pass ticket profile name will be supplied to the external security system instead of userid during Pass Ticket generation.
        
        • When Prof name is NOT specified (field left blank), TPX issues the pass ticket request with the USERID & APPLID.
        • When Prof name is specified, TPX issues the pass ticket request with the USERID & Prof name.

You may use security traces to verify whether or not the application requires a 'Pass Ticket Prof name' to be defined.

'Pass Ticket Prof name' is usually required for TSO and VM systems, where this parameter will have the value "TSOsmfid" or "VMcpuid".

• TSO - TSOsmfid
• VM   - Vmcpuid

Other applications requiring Pass Ticket prof name, as provided by multiple TPX customers:  (Please verify for your environment.)

• MVSxxxx system default
  
  • CA7
  • CADISP 
  • NETVIEW 
  • EXIGENCE 
  • IMPLEX 
• APPLID of application 
  
  • TMONDB2
• SESSIONID >>> Note that this was not the APPLID but rather the SESSIONID defined in TPX.
  
  • ABENDAID
    
    

Additional Setup Requirements:

1. SMRT Optional Parameters: Set both of these to Y:
   
   • SMRT Option 030 - This option will cause users defined as Pass Ticket Users to return to the CA TPX logo if a signoff command is entered or generated.  Pass Ticket users normally would not see the CA TPX logo because all signoffs are normally converted to logoffs.  If a user returns to the CA TPX logo then subsequently signs on with their real password, the signon will not be secured using the Pass Ticket technique.
   • SMRT Option 031 - This option will display "Pass Ticket" on the CA TPX menu in the location where "Check Messages" might appear (the W3 variable), if a user is defined as a Pass Ticket User.  The "Check Messages"indication temporarily overrides the "Pass Ticket" indication.  This option will cause the letters "PTIX" or the words "Pass Ticket" to appear on the menu in the "Status" column, for any application defined as a "Pass Ticket Application".  These are the UENTWSTS and UENTWSTL variables, respectively.  Other status indicator will temporarily override the Pass Ticket indication.

      2. SMRT Reserved Options:
         Access the SMRT Reserved Options by entering command “OPTIONS” on the SMRT Optional Parameters panel, then scroll down to set these options:

• RsvOpt 041 -  When using pass ticket instead of password/phrase to access applications, set RsvOpt 41 to Y to ensure the user-id has been validated through the external security manager (Top Secret/ACF2/RACF) to gain access to TPX.  This will handle the case where certain user-ids are set to SECURITY=NONE and should not have a pass ticket generated for them to access an application.
• RsvOpt 042 - (Optional)  Set RsvOpt 042 to Y if you need pass ticket generation messages in the TPX log for audit or other site requirements (TPXL0920, TPXL0921, TPXL0922, TPXL0923).  These messages are useful during implementation and testing of pass tickets.

To ensure that all changes have been implemented, cycle TPX or use TPXOPER RELOAD for each change. 

• When using pass tickets with GRS (generic resource), it is crucial that the system clock on each LPAR is in sync.  A PassTicket is considered to be within the valid time range when the time of generation, with respect to the clock on the generating computer, is within plus or minus 10 minutes of the time of evaluation, with respect to the clock on the evaluating computer.
• For additional information, please refer to the TPX documentation - section Pass Ticket Feature under Special Features and Customization Tasks.  Review section: Operational Differences for Pass Ticket Users.
• For RACF information on setting up Pass Tickets, please refer to z/OS Security Server RACF Security Administrator's Guide, or contact IBM.

• How to set up TPX to work with Pass Tickets in ACF2
• How to set up TPX to work with Pass Tickets in Top Secret (TSS)