To validate a password or PassTicket, RACF®:
- Determines whether the value in the password field is the RACF password for the user ID.
- If it is the RACF password,
the validation is complete.
- If it is not the RACF password,
processing continues.
- Determines whether a secured signon application
profile has been defined for the application in the PTKTDATA class.
- If a profile has not been defined, RACF sends
a message to the user ID indicating that the password is not valid.
- If the application is defined to the PTKTDATA class, processing
continues.
- Evaluates the value entered in the password field. The evaluation
determines whether:
- The value is a PassTicket consistent with this user ID, application,
and time range.
- When PassTicket replay protection is in effect (replay protection
is not being bypassed), RACF checks
to be sure the PassTicket has not been used previously on this computer
system for this user ID, application, and time range.
Note: A PassTicket is considered to be within the valid time
range when the time of generation (with respect to the clock on the
generating computer) is within plus or minus 10 minutes of the time
of evaluation (with respect to the clock on the evaluating computer).
If
the value is determined to be a valid PassTicket, the user is allowed
access to the desired application. If the value is not a valid PassTicket, RACF sends a message indicating
that the user entered a password that is not valid.
- Gives the user ID access to the desired application if the PassTicket
is valid.
Note: - For RACF to properly evaluate
PassTickets, the TOD clock must be properly set to Greenwich Mean
Time (GMT) rather than local time. (GMT is also referred to as coordinated
universal time (UTC).)
- If the RACF secured signon application
key is encrypted, the cryptographic product must be active when RACF tries to authenticate the
PassTicket. If it is not active, RACF cannot
validate the PassTicket. The resulting message indicates that the
logon attempt failed.
- If the evaluation fails, the host application sends the user a
message stating that the value in the password field is not valid.