Skip to content

Step 14: Implement PassTicket Support in Sernet

Background

In ChangeMan ZMF 8.1, PassTickets were implemented for mainframe clients connecting through TCP/IP. The actions detailed below are required for customers that have mainframe users or batch jobs that:

  1. Connect to ZMF from LPARs other than the one that hosts the Server started task (that is, those connections that use the ChangeMan ZMF Load Balancing Option (LBO)).

  2. Explicitly request TCP/IP connection. For example:

    1. Those customers specifying CON(T) in their connection REXX or CLIST.

    2. Those customers specifying <method>T</method> in XML Service requests.

    3. Those customers using the CONNECT=T JCL parameter (for example, on program CMNVSRVC execution).

    Note

    TCP/IP connections will also be attempted if an XMS (Cross Memory Services) connection attempt fails.

We recommend that you enable PassTicket Support even if you are not explicitly requesting TCP/IP connections.

Required RACF Administration

To enable RACF PassTickets, customers must:

  1. Activate the PTKTDATA class by entering:

    SETROPTS CLASSACT(PTKTDATA) RACLIST(PTKTDATA)

  2. Refresh the PTKTDATA class by entering:

    SETROPTS RACLIST (PTKTDATA) REFRESH

  3. Create a profile in the PTKTDATA class by entering:

    RDEFINE PTKTDATA SERNET SSIGNON(user_must_choose) APPLDATA('NO REPLAY PROTECTION')

The value SERNET in the above RDEFINE command is mandatory and should not be altered. The SSIGNON specification value is a 64-bit Data Encryption Standard (DES) key that must be uniquely assigned by each customer. Refer to the RACF Command Language Reference Manual for details.

The PassTicket support information given here is for RACF customers. If you use CA ACF2™ or CA Top Secret®, check the appropriate ACF2 or Top Secret documentation for instructions on implementing PassTicket support. Use the provided RACF instructions as a guide.

Role of the SERSET Utility

Support for PassTickets in Sernet is provided through the execution of the SERSET utility.

Each time the ChangeMan ZMF started task is brought up, the SERSET utility is invoked during the initialization process. This addresses the case where clients connect to a started task running on the same LPAR.

However, the SERSET utility can also be executed as a batch utility, provided in the SERSET member of the SERCOMC CNTL distribution library. If users are signing on to the started task from other LPARs, you need to run the SERSET batch job on all of these other LPARs to provide support for the PassTickets.

The SERSET utility must be executed on all LPARs hosting ChangeMan ZMF users or batch jobs before TCP/IP connection will be possible.

PassTicket Generation

Sernet generates PassTickets when SERCLIEN calls SERXPTIK. The generation process requires authorization (key zero), so SERXPTIK executes as a PC routine to obtain authorization (that is, supervisor state). The sole purpose of the SERSET utility is to implement this routine.

SERCLIEN only needs to know the PC number associated with SERXPTIK to generate a PassTicket. To find this number, SERCLIEN retrieves two system-level tokens, as follows:

Token Description
SerNet.PTickTok Contains the SerNet.PTickX value.
SerNet.PTickX Contains the PC number.
Note: The X in this token name corresponds directly to the TOKEN= value established when SERSET runs.

Failures in PassTicket Generation

SERXPTIK calls the routine anchored in field RCVTPTGN of the RACF CVT. Errors will be returned to the caller of SERCLIEN, as follows:

SER6035E Passticket generation failed, RCVTPTGN RC=nnnn

RCVTPTGN and its accompanying return codes are documented in the section titled "Using the service to generate a passticket" in the RACF Macros and Interfaces manual.

For more information about PassTicket support in Sernet, refer to the ChangeMan ZMF Installation Guide.