Skip to content

How to Configure PassTicket for CA SYSVIEW for DB2

Last update June 14, 2016

As an application administrator, you want to configure PassTicket to provide seamless and secured access by CA Cross-Enterprise Application Performance Management (CA Cross-Enterprise APM) to CA SYSVIEW® Performance Management Option for DB2 for z/OS (CA SYSVIEW for DB2) data. The data enables an application support specialist, using CA Introscope®, to see the DB2 issues that affect an application.

CA Cross-Enterprise APM operates in a networked environment. PassTicket provides an enhanced security across a network. The networked entities can communicate without specific passwords or password phrases.

Use this scenario to guide you through the process:

How to Configure PassTicket for CA SYSVIEW for DB2 (Gliffy) 10.0

  1. Review requirements.

  2. (z/OS security administrator) Configure PassTicket in the external security manager (ESM).

  3. (CA SYSVIEW for DB2 administrator) Enable PassTicket support in Xnet.

  4. Enable PassTicket support in CA Cross-Enterprise APM.

At the end of the process, the user ID of the CA Cross-Enterprise APM WILYZOS job has the authority to generate PassTicket. CA Cross-Enterprise APM can access CA SYSVIEW for DB2 using PassTicket.

Review Requirements

The configuration of PassTicket involves other roles:

  • z/OS security administrator to configure PassTicket in ESM.

  • CA SYSVIEW for DB2 administrator to enable PassTicket in Xnet.

Gather the necessary information, and pass the information to those roles so they can complete their task.

Follow these steps:

  1. Gather the following information:

    • The application name (appl_name) that you want for the PassTicket definition, for example, DB2TOOLS.

      Limits: One through eight characters

      Note: If PassTicket support is already enabled in Xnet (PASSNAME( appl_name) parameter is specified in the CDBAPARM(PXNPARM) data set member), use that appl_name as the application name.
    • User ID of the WILYZOS job (wilyzos_user_id) to authorize for PassTicket generation.

  2. Ask the z/OS security administrator to configure PassTicket in ESM, using the information in Step 1.

  3. Ask the CA SYSVIEW for DB2 administrator to enable PassTicket in Xnet for appl_name.

Configure PassTicket in ESM

As a z/OS security administrator, you receive a request for a new PassTicket definition. You have the following information:

  • Application name (appl_name) that you want to use for the PassTicket definition, for example, DB2TOOLS.

  • User ID of the WILYZOS job (wilyzos_user_id) to authorize for PassTicket generation.

Follow these steps:

  1. Define the application session key. This key activates PassTicket in ESM for the CA SYSVIEW for DB2 instance to which CA Cross-Enterprise APM connects.

  2. Authorize the WILYZOS job to generate PassTicket for the application.

Examples are provided for CA ACF2™, CA Top Secret®, and the IBM resource access control facility (RACF).

Example: Use CA ACF2 to Configure PassTicket.

Note: The example is provided as a guideline. For detailed information about using these commands, see the CA ACF2 for z/OS Administration Guide.

You want to configure PassTicket for the DB2TOOLS application. DB2TOOLS is the application name (appl_name) that this example uses.

Follow these steps:

  1. Associate a session key with DB2TOOLS:

    SET PROFILE(PTKTDATA) DIVISION(SSIGNON)

    INSERT DB2TOOLS SSKEY(session_key) MULT-USE

    F ACF2,REBUILD(PTK),CLASS(P)

    • session_key

      The session (encryption) key that uses 16 hexadecimal digits (creating an 8-byte or 64-bit key). Use a site-specific key value. Keep the value secret.

      Example: 0123456789ABCDEF

    The CA SYSVIEW for DB2 session key is defined. You can reuse the same PassTicket multiple times.

  2. Enable the WILYZOS job to generate PassTicket for the DB2TOOLS application:

    SET RESOURCE(PTK)

    RECKEY IRRPTAUTH ADD(DB2TOOLS.- UID(wilyzos_uid) SERVICE(UPDATE,READ) ALLOW)

    • wilyzos-uid

      The CA ACF2 UID for the WILYZOS job. This UID must be able to generate PassTicket for any user.

  3. Permit access to the DB2TOOLS application for each user that is permitted to access the CA SYSVIEW for DB2 data:

    Note: Complete this step only if you have already defined the DB2TOOLS application resources. If you inserted a GSO CLASMAP record to change the type code for the APPL class to APL, use APL instead of SAF in the commands.

    ACF

    SET RESOURCE(SAF)

    RECKEY DB2TOOLS ADD(UID(wilyzos_uid) SERVICE(READ) ALLOW)

    RECKEY DB2TOOLS ADD(useridn UID(useridn_uid) SERVICE(READ) ALLOW)

    F ACF2,REBUILD(SAF)

    • useridn and useridn_uid

      The user ID and UID of the user requests access to CA Cross-Enterprise APM.

The WILYZOS job can generate PassTicket for the specified user IDs.

Example: Use CA Top Secret to Configure PassTicket.

Note: This example is provided as a guideline. For detailed information about using these commands, see the CA Top Secret for z/OS Command Functions Guide.

You want to configure PassTicket for the DB2TOOLS application. DB2TOOLS is the application name (appl_name) that this example uses.

Follow these steps:

Note: If the PTKTDATA class and ownership for the PassTicket resource IRRPTAUTH have been defined, skip Step 1 and Step 2.
  1. Update the Resource Descriptor Table (RDT) to define the PTKTDATA class by entering the following command:

    TSS ADDTO(RDT) RESCLASS(PTKTDATA) RESCODE(n) ACLST(ALL,NONE,READ,UPDATE) MAXLEN(37) MAXOWN(9)

  2. Assign the ownership of the IRRPTAUTH PassTicket resource:

    TSS ADDTO(department) PTKTDATA(IRRPTAUTH)

    • department

      A preexisting department.

  3. Set up the host system to accept PassTicket:

    1. Define the application resource, and assign the ownership:

      TSS ADDTO(department) APPLICATION(DB2TOOLS)

      The application is defined to this department. This ownership lets a department administrator (or higher) define permissions for generating and validating PassTicket.

    2. Update the Node Descriptor Table (NDT) to associate a session key with DB2TOOLS:

      TSS ADDTO(NDT) PSTKAPPL(DB2TOOLS) SESSKEY(session_key) SIGNMULTI

      • session_key

        A session (encryption) key that uses 16 hexadecimal digits (creating an 8-byte or 64-bit key). Use a site-specific key value. Keep the value secret.

        Example: 0123456789ABCDEF

      The CA SYSVIEW for DB2 session key is defined. You can reuse the same PassTicket multiple times.

  4. Complete the following steps for the user ID of the WILYZOS job:

    1. Enable the job to generate PassTicket for the DB2TOOLS application:

      TSS PERMIT(wilyzos_user_id) PTKTDATA(IRRPTAUTH.DB2TOOLS.) ACCESS(READ,UPDATE)

      This step gives CA Cross-Enterprise APM permission to use the session key value to generate PassTicket.

    2. Permit access to the application:

      TSS PERMIT(wilyzos_user_id) APPLICATION(DB2TOOLS)

  5. Permit access to the application for each user that is permitted to access the CA SYSVIEW for DB2 data:

    TSS PERMIT(useridn) APPLICATION(DB2TOOLS)

    • useridn

      The user ID of the user that requests access to CA Cross-Enterprise APM.

    This step gives specific users access to DB2 performance data, including the ability to validate PassTickets that are generated using the session key value.

The WILYZOS job can generate PassTicket for the specified user IDs.

Example: Use IBM RACF to Configure PassTicket.

Note: This example is provided as a guideline. For detailed information about using these commands, see the IBM RACF product documentation.

You want to configure PassTicket for the DB2TOOLS application. DB2TOOLS is the application name (appl_name) that is used in this example.

Follow these steps:

  1. Define the DB2TOOLS application by entering the following commands:

    RDEFINE APPL DB2TOOLS UACC(NONE)

    SETROPTS CLASSACT(APPL)

    SETROPTS GENERIC(PTKTDATA)

  2. Activate the PassTicket class if it is not currently active:

    SETROPTS CLASSACT(PTKTDATA) RACLIST(PTKTDATA)

  3. Define a profile that associates a session key with DB2TOOLS:

    RDEFINE PTKTDATA DB2TOOLS SSIGNON(KEYMASKED(session_key)) APPLDATA('NO REPLAY PROTECTION')

    • session_key

      A session (encryption) key that uses 16 hexadecimal digits (creating an 8-byte or 64-bit key). Use a site-specific key value. Keep the value secret.

      Example: 0123456789ABCDEF 

    The profile and CA SYSVIEW for DB2 session key are defined. The same PassTicket can be reused multiple times.

  4. Enable the WILYZOS job to generate PassTicket for the DB2TOOLS application:

    RDEFINE PTKTDATA IRRPTAUTH.DB2TOOLS.* UACC(NONE)

    PERMIT IRRPTAUTH.DB2TOOLS.* ID(wilyzos_user_id) CLASS(PTKTDATA) ACCESS(UPDATE)

  5. Permit access to the DB2TOOLS application for each user that is permitted to access the CA SYSVIEW for DB2 data:

    PERMIT DB2TOOLS CLASS(APPL) ID(wilyzos_user_id) ACCESS(READ)

    PERMIT DB2TOOLS CLASS(APPL) ID(useridn)

    • useridn

      The user ID of the user that requests access to CA Cross-Enterprise APM.

  6. Refresh the APPL and PTKTDATA classes with the following commands:

    SETROPTS RACLIST(APPL) REFRESH

    SETROPTS RACLIST(PTKTDATA) REFRESH

The WILYZOS job can generate PassTicket for the specified user IDs.

Enable PassTicket Support in Xnet

As a CA SYSVIEW for DB2 administrator, you receive a request to enable the PassTicket support in Xnet. You have the application name (appl_name) that is used for the PassTicket definition, for example, DB2TOOLS.

To enable the PassTicket support in Xnet, ensure that the following parameter is specified in the CDBAPARM(PXNPARM) data set member:

PASSNAME(appl_name)

Enable PassTicket Support in CA Cross-Enterprise APM

When the following configuration is done, enable the PassTicket support in CA Cross-Enterprise APM:

  • PassTicket is configured in ESM.

  • PassTicket support is enabled in Xnet.

Follow these steps:

  1. Configure the following parameters in the JCL(STDENV) data set member:

    IRRRACFPATH=

    LIBPATH=

    Note: For information about these parameters, see the comments in the member.
  2. Configure the following properties in the Cross-Enterprise_APM_Dynamic.properties file:

    Insight.passticket.support=yes

    Insight.passticket.appl=appl_name

    Insight.username=wilyzos_user_id

CA Cross-Enterprise APM can access CA SYSVIEW for DB2 using PassTicket. The CA SYSVIEW for DB2 data can be accessed for monitoring through CA Introscope.

Was this helpful?

Please log in to post comments.