CA-TPX provides support for Secured Signon using Pass Tickets. The use of Pass Tickets eliminates the transmission of passwords across network facilities in clear text.
A pass ticket is a one-time only password substitute that is automatically generated by an authentication server, such as CA's Single Signon Option or IBM's Network Security Program or on behalf of a client workstation requesting access to a mainframe application, such as TPX.
Once a user is signed on to TPX, Pass Tickets may also be generated for applications subsequently accessed through TPX.
NOTE: This document is specific to ACF2. For instructions specific to Top Secret or RACF, please refer to the links at the end of this document.
Release: NVINAM00200-5.4-TPX-Session Management-Access Management package
The implementation of Pass Ticket support requires customization within both TPX and the security system.
|Define TPX in ACF2 for pass tickets:
See ACF2 Administration Guide for full details. Current versions of the documentation can be obtained from CA ACF2 for z/OS product page.
Within TPX, there are two separate aspects of Pass Ticket support: Users and Applications. You can implement one or the other or both depending upon your site requirements.
You can specify pass ticket and/or qualified pass ticket for users and applications. When both are specified, CA TPX attempts to use the most secure form of pass ticket available based on the settings in CA TPX and the Pass Ticket Profile, if any, as defined in the external security system.
A. Logon to TPX with a Pass Ticket
This parameter does not impact the actual sign on to TPX. TPX accepts the userid and password then makes a security call for validation. TPX is unaware of whether the password field contains a password or pass ticket at this point.
It is only after the user is signed on to TPX where this parameter becomes important, and these are outlined in the field level help:
B. Logon to applications with a Pass Ticket
You can use security traces to verify whether or not your application requires a 'Pass Ticket Prof name' to be defined.
SET PROFILE (PTKTDATA) DIVISION(SSIGNON)
SET PROFILE(PTKTDATA) DIVISION(SSIGNON)
INSERT profname SSKEY(ENCRYPTION DATA)
'Pass Ticket Prof name' is usually required for TSO and VM systems, where this parameter will have the value "TSOsmfid" or "VMcpuid".
Other applications requiring Pass Ticket prof name, as provided to us by TPX customers: (Please verify for your environment.)
There may be other applications that may require a non-standard RACROUTE verification, other than the application name.
This should be determined in conjunction with that application vendor and your security administrator.
Additional Setup Requirements:
To ensure that all changes have been implemented, cycle TPX or use TPXOPER RELOAD for each change.