Skip to content
CA TPX™ Session Management - 5.4
Documentation powered by DocOps

Pass Ticket Feature

Last update March 16, 2018

A Pass Ticket is a one-time password substitute. Pass Tickets are generated automatically by an authentication server, such as IBM Network Security Program or CA Single Sign-on Option, on behalf of a client workstation requesting access to a mainframe application such as CA TPX. After a user signs on, Pass Tickets can be generated for applications that are accessed subsequently through the product. You must complete complete administrative maintenance to use Pass Tickets.

The Pass Ticket eliminates the need to type your password on the CA TPX logon screen and eliminates the transmittal of the password in clear text across networks. The feature also provides application security, because a Pass Ticket is a one-time only password.

Pass Tickets are supported by CA ACF2, CA Top Secret, and IBM RACF.

Qualified and Nonqualified Pass Tickets

Qualified and nonqualified Pass Tickets are supported. A nonqualified Pass Ticket is associated with a specific application and can be used for any user during the period it is valid. A qualified Pass Ticket is associated with an application and is further qualified by association with a user ID, group ID, or both, and is valid only for use by the defined combination for the period it is valid, thereby providing better security.

Nonqualified Pass Tickets

The requirements for the use of nonqualified Pass Tickets are as follows:

  • The application must use external security through RACF, CA ACF2, CA Top Secret or SAF, or must itself support Pass Ticket verification.
  • If you use an external security manager, the application must supply the security system with required information to permit Pass Ticket verification.
  • The application must be defined in CA TPX with session data that contains &PSWD or a startup ACL that keys in &PSWD to ensure secured sign on using Pass Ticket.

The parameters to turn on the Generate Pass Ticket feature can be set on any product image that has access to the administration files.

Qualified Pass Tickets

Generation of qualified Pass Tickets by CA TPX requires CA ACF2 or CA Top Secret as the underlying security system on the operating system image on which CA TPX is active. The parameters to turn on the Generate Qualified Pass Ticket feature can be set on any product image that has access to the administration files.

To use qualified Pass Tickets, you must set up the appropriate Pass Ticket profile in CA ACF2 or CA Top Secret. Refer to the documentation for those products.

If the target application is running on a remote system from CA TPX, the Pass Ticket profile must be identical on all the remote systems where the application resides (regardless of the security system that is used on each of those systems) and on the CA TPX system, which must be using CA ACF2 or CA Top Secret.

When the target application resides on a system that is secured by a third-party solution (for example, IBM RACF), consult the documentation for the solution for the required settings.

How Pass Ticket Works

The following table provides a general outline of the Pass Ticket feature:

Stage Description
1 The administrator implements Pass Ticket functionality.
2 The Pass Ticket is generated by an authentication server on behalf of a client workstation requesting access to CA TPX.
3 The Pass Ticket is automatically forwarded to CA TPX, usually through logon data.
4 CA TPX manages the Pass Ticket (or one-time only password) by forwarding it as the current password to the external security system.
5 The security system authorizes the user for CA TPX using the Pass Ticket.
Note: If a user is passed to a second region through the Affinity feature, Affinity Pass generates another Pass Ticket and forwards it to the Affinity application id.
6 A Pass Ticket can be generated for each application accessed through CA TPX, including ACCESS=PASS applications.
Note: The Pass Ticket feature can also authorize a user for CA TPX with the user's actual passcode (password, password phrase, or Multi-Factor Authentication/Advance Authentication Mainframe code).

Use Pass Ticket with CA TPX Functions

In addition to using a Pass Ticket to sign on, you can use this feature to sign on to the following functions:

  • Managed application sessions
  • Access=PASS sessions
  • Reconnect after PASS session ends
  • CA TPX affinity PASS
  • &PSWD for ACL and session data
Note: When using the Pass Ticket feature, users can still sign on to the product or start application sessions with their actual passcode (password, password phrase, or Multi-Factor Authentication/Advance Authentication Mainframe code).

Operational Differences for Pass Ticket Users

If a user is defined under administration as a Pass Ticket user, the following limitations apply:

  • There are no time-outs to LOCKSCREEN or the logo (signon) screen (the benefit of Pass Ticket is voided, if a user must type a password on the logo screen or the LOCKSCREEN).
  • The following signoffs return the user to VTAM or NETWORK solicitor:
    • SIGNOFF (any)
    • /F
    • ACL SIGNOFF
    • A generated signoff
  • If a user wants to use the /L command, a LOCKWORD must be supplied by the user wanting to be reconnected to CA TPX.
  • Stage one time outs to the lock screen and all time outs that would typically generate a SIGNOFF, will instead time out to VTAM (meaning a /K is generated).

Pass Ticket Reconnections

A reconnect after a pass session generates a Pass Ticket.

&PSWD Variable Becomes Unusable After Pass Ticket Signon

After a user signs on using a Pass Ticket, the &PSWD variable becomes unusable. The product cannot distinguish a Pass Ticket from a password, and stores the Pass Ticket as if it were a password. But, because the Pass Ticket is good for one signon only, it thereafter becomes invalid, and must be replaced with a new Pass Ticket for each subsequent session initiation. Any attempt to use the &PSWD variable as-is results in password rejection.

To start an application session when the &PSWD variable becomes unusable, one of the following two things must happen:

  1. The correct password for the user must be sent to the application.
    or
  2. The product must generate a new Pass Ticket before session initiation.

Send the User's Real Password to an Application

The user's real passcode can be sent to the application in the following ways:

  1. Type the password into the CA TPX signon screen manually.
  2. Hard code it as a parameter in user or profile maintenance, and use an ACL to send it to the application.
  3. Hard code it as session data through user or profile maintenance.
Note: For option 2, refer to the online administration panels: Userid Maintenance Detail Panel (Txx0124), and Profile Table Detail Panel (Txx0114), respectively. For option 3, refer to the online administration panels: Userid Maintenance Detail Panel (Txx0126), and Profile Table Detail Panel (Txx0146).

Overview of Pass Ticket Maintenance

The following table outlines the administrative steps that are required to generate Pass Tickets. The following table lists the types of maintenance that you can perform. In addition, this table lists the documentation that you need to review for general information about maintenance procedures:

No. Type of Maintenance See the following for general maintenance procedures:
1 Profile Performing Profile Maintenance
2 User Performing User Maintenance
3 Self-Maintenance Class Tables Maintaining Command and Self-Maintenance Tables
4 System Options Specifying System Options
5 Application Characteristics Specifying Application Characteristics
6 Self Maintenance Performing User Self-Maintenance

Screens and Fields for Pass Ticket Maintenance

The following table lists the panels and their fields for the maintenance that is required to generate Pass Tickets. If more than one panel exists, the panel number that you must access is also provided.

When you specify values for these fields, all fields that are listed may not be required because CA TPX uses the value that is specified at the highest level in the following hierarchy: (1) user level, (2) profile level, (3) application level.

Number Type of Maintenance Screens for Maintenance Fields for Pass Ticket
1 Profile Profile Table Detail Panel for User Options, Second Panel
Profile Table Detail Panel for Session Options, Third Panel
1. Pass Ticket User
2. Qualified PTick User
3. Generate Pass Ticket
4. Gen Qualified Pass Ticket
2 User Userid Maintenance Detail Panel for User Options, Second Panel
Userid Maintenance Detail Panel for Session Options, Third Panel
1. Pass Ticket User
2. Qualified PTick User
3. Generate Pass Ticket
4. Gen Qualified Pass Ticket
3 Self-Maintenance Class Tables Update Class Detail Panel for User Options, First Panel
Update Class Detail Panel for Application Options, Third Panel
1. Pass Ticket User
2. Qualified PTick User
3. Generate Pass Ticket
4. Gen Qualified Pass Ticket
4 System Options System Options Table Detail Panel 1. Session Manager Resource Table (SMRT) Option 030
2. Session Manager Resource Table (SMRT) Option 031
5 Application Characteristics Application Characteristics Detail Panel, Second Panel 1. Pass Ticket prof name
2. Generate Pass Ticket
3. Gen Qualified Pass Ticket
6 Self Maintenance Userid Maintenance Detail Panel for User Options, Second Panel
Userid Maintenance Detail Panel for Session Options, Third Panel
1. Pass Ticket User
2. Qualified PTick User
3. Generate Pass Ticket
4. Gen Qualified Pass Ticket

Field Definitions

This section defines each field available for maintenance.

Pass Ticket User and Qualified PTick User Fields

The following values are valid for both the Pass Ticket User and Qualified PTick User fields wherever they appear, except on the Self-Maintenance Class Tables. Valid values are Y (Yes), N (No), or null:

  • Y
    Specify Y if users of this profile are expected to sign on through Pass Ticket. It is the user's responsibility to fully implement this functionality, because there is no way to determine if the user signs on with a Pass Ticket or an actual passcode (password, password phrase, or Multi-Factor Authentication/Advance Authentication Mainframe code).
  • N or null
    Specify N or null, if you do not expect users of this profile to sign on using Pass Tickets.
Note: Pass Ticket generation for application sessions is handled separately and is independent of a user's method of signing on to CA TPX.

Generate Pass Ticket and Gen Qualified Pass Ticket Fields

The following values are valid for both the Generate Pass Ticket and Gen Qualified Pass Ticket fields wherever they appear, except on the Self-Maintenance Class Tables. Valid values are Y (Yes), N (No), or null:

  • Y
    Specify Y to generate a Pass Ticket when a session with this application is started. The &PSWD variable for this application is set to the value of the generated Pass Ticket at the start of the application session.
  • N
    Specify N if you do not want a Pass Ticket generated for this application.
  • Null
    Indicates use of the specification from the ACT for this application.

Note: This value overrides the value for the same field specified in the Application Characteristics Table (ACT).

Any combination of valid values for both Generate Pass Ticket and Gen Qualified Pass Ticket is permitted. CA TPX attempts to use the most secure form of Pass Ticket available based of the settings in CA TPX and the Pass Ticket Profile, if any, as defined in the external security system.

If CA TPX determines that a qualified Pass Ticket is requested but not available, and a nonqualified Pass Ticket is not permitted (Generate Pass Ticket set to N or null), the requested session is not started and the user is notified.

Self-Maintenance Class Tables

The following fields apply to Update Class Detail Panel for User Options, First Panel. Valid values are Y (Yes), N (No), or null. The default is N:

__ 1. Pass Ticket User

__ 2. Qualified PTick User

  • Y
    Specify Y if the user is permitted to update the Pass Ticket fields on user maintenance screens for user options.
  • N
    Specify N if you do not want the user to have this capability.

The following fields apply to Update Class Detail Panel for Application Options, Third Panel. Valid values are Y (Yes) or N (No). The default is N:

__ 3. Generate Pass Ticket

__ 4. Generate Qualified Pass Ticket

  • Y
    Specify Y to allow the user to update the generate Pass Ticket fields on the user maintenance screen for session options.
  • N
    Specify N if you do not want the user to have this capability.

System Options Maintenance

The following fields apply to the System Options Table Detail Panel - Optional Parameters. Valid values are Y (Yes) or N (No). The default value is N:

__ 1. Session Manager Resource Table (SMRT) Option 030 

  • Y
    Specify Y to allow users defined as Pass Ticket users to return to the logo screen when the signoff command (/F) is entered or generated. Pass Ticket users do not typically see the logo screen when a /F command is entered or generated.

    Note: If a user returns to the logo screen and then subsequently signs on with an actual passcode (password, password phrase, or Multi-Factor Authentication/Advance Authentication Mainframe code), the user does not have a secured signon through Pass Ticket.

__ 2. Session Manager Resource Table (SMRT) Option 031

  • Y
    Causes the words "Pass Ticket" to be placed on the CA TPX menu in the place where "check messages" appears (the W3 variable). The "check messages" indication temporarily overrides the "Pass Ticket" indication. In addition, if a user is not defined as a Pass Ticket user, but individual applications on the menu are defined as Pass Ticket applications, then the letters "PTIX" or the words "Pass Ticket" will appear in the "status" column (the UENTWSTS or UENTWSTL variables) on the menu. Other values will temporarily take precedence over these values.

System Reserved Options Maintenance

To access the SMRT Reserved Options, enter the command OPTIONS on the SMRT Optional Parameters panel and scroll down to set the following options:

RsvOpt 041

  • Y
    When you use Pass Ticket instead of password phrase to access applications, set RsvOpt 41 to Y to ensure the user-id is validated through the external security manager (CA Top Secret/CA ACF2/IBM RACF/SAF) to gain access to TPX. This handles the case where certain user-ids are set to SECURITY=NONE and should not have a Pass Ticket generated for them to access an application.

RsvOpt 042

  • Y (Optional)
    Set RsvOpt 042 to Y if you need Pass Ticket generation messages in the TPX log for audit or other site requirements. Messages TPXL0920, TPXL0921, TPXL0922, TPXL0923 are helpful when you implement and test Pass Tickets.

Application Characteristics Maintenance

Application Characteristics Detail Panel, Second Panel

  • Pass Ticket Prof Name
    For TSO and for VM systems, this is the name by which the application is known to the security system, which is different from the VTAM applid. For TSO, this name should be "TSOsmfid" and for VM, this name should be "VMcpuid". If in doubt, consult your security system administrator.

Configuration

If you want to sign on and access functions with Pass Tickets, your security system administrator must configure your system to use this feature.

Related Publications

For further information about Pass Tickets, see the documentation for CA ACF2, CA Top Secret, and IBM RACF.

 

Was this helpful?

Please log in to post comments.

  1. GAIL VALLANCE
    2018-02-23 04:57

    Insert this new section after Systems Options Maintenance and before Application Characteristics Maintenance:

    System Reserved Options Maintenance

    Access the SMRT Reserved Options by entering command “OPTIONS” on the SMRT Optional Parameters panel, then scroll down to set these options:

    1. RsvOpt 041: Y

    When using pass ticket instead of password/phrase to access applications, set RsvOpt 41 to Y to ensure the user-id has been validated through the external security manager (Top Secret/ACF2/RACF/SAF) to gain access to TPX. This will handle the case where certain user-ids are set to SECURITY=NONE and should not have a pass ticket generated for them to access an application.

    1. RsvOpt 042: Y (Optional)

    Set RsvOpt 042 to Y if you need pass ticket generation messages in the TPX log for audit or other site requirements (TPXL0922, TPXL0923). These messages are useful during implementation and testing of pass tickets.

    1. GAIL VALLANCE
      2018-02-23 06:26

      Messages to include should be TPXL0920, TPXL0921, TPXL0922, TPXL0923.