Using PassTickets

The ADFzCC server can be configured to use PassTickets for authenticated clients.

To exploit this feature, a client must first authenticate with a valid user ID and password or passphrase. Following a successful authentication, the server generates and use PassTickets for requesting clients. Such requests are valid for the period (in minutes) specified by the PASSTK configuration parameter.

To enable the use of PassTickets, complete the following steps:

Specify the PASSTK parameter in your ADFzCC server configuration file. For a description of the parameter, see Configuration file keyword descriptions.
The ADFzCC server must run APF-authorized. For more information about APF authorization and PassTickets, refer to the documentation for RACF or your equivalent security product.
PassTickets are generated in association with an APPLID. For ADFzCC, the default APPLID is IPVAPPL.
If the APPL class is active, connecting users must have READ access to the relevant APPLID resource name in the APPL class. The APPLID resource name can be overridden by the APPLID parameter in the ADFzCC server configuration file, in which case, authorization checks are performed against the configured APPLID resource name.

The server started task user ID must have the following authorizations to generate PassTickets:

SETROPTS CLASSACT(PTKTDATA) 
SETROPTS RACLIST(PTKTDATA) 
RDEF PTKTDATA IPVAPPL SSIGNON(KEYMASKED(yourmaskvalue)) 
RDEF PTKTDATA IRRPTAUTH.IPVAPPL.* UACC(NONE) 
PERMIT IRRPTAUTH.IPVAPPL.* ID(your.userid) ACCESS(UPDATE) CLASS(PTKTDATA) 
SETR RACLIST(PTKTDATA) REFRESH

If the server has the necessary authority, message IPV0052I is generated at startup, otherwise, message IPV0050S is generated.

Note: This feature primarily exists to facilitate multi-factor authentication (MFA) clients. Your MFA environment might require additional authorizations to use PassTickets. Refer to the instructions on using MFA with PassTickets in the documentation for IBM® Z Multi-Factor Authentication or equivalent MFA product.