Enabling PassTicket creation for Resource Monitoring task users

If the RMF Distributed Data Server (DDS) requires authentication from the z/OSMF system and its users, follow the steps in this procedure to set up the PassTicket support.

About this task

In this procedure, you ensure that the PassTicket is set up properly, and that the z/OSMF started task user ID is authorized to generate the PassTicket. The procedure shows how this setup can be done for a system that uses RACF® as its security management product.

Note: If your installation uses RMF Cross Platform Monitoring (RMF XP), the RACF profile name for the RMF™ XP DDS is GPM4CIM. Use this profile name instead of GPMSERVE when you complete Steps 2 through 4 in the procedure.

Procedure

  1. On the z/OSMF system, activate the security class PTKTDATA, if this class is not already active. If you plan to use generic profiles for the PTKTDATA class, include the GENERIC option on the SETROPTS command, for example: 
    SETROPTS CLASSACT(PTKTDATA) 
SETROPTS RACLIST(PTKTDATA) GENERIC(PTKTDATA)
  2. Define the profile GPMSERVE for the DDS in the PTKTDATA class and associate a secret secured signon key with the profile. The key must be the same on both the system on which the PassTicket is to be generated (the z/OSMF system) and the system on which the PassTicket is to be verified (the DDS system). For example: 
    RDEFINE PTKTDATA GPMSERVE SSIGNON(KEYMASKED(key))
SETROPTS RACLIST(PTKTDATA) REFRESH
    where key is a user-supplied 16-digit value used to generate the PassTicket. If a common cryptographic architecture (CCA) product is installed on the systems with the secured signon function, you can encrypt the secured signon key using a KEYENCRYPTED value. If not, you can mask the secured signon key by using the SSIGNON option and a 64-bit KEYMASKED value, as shown in the preceding example. If you plan to use a KEYENCRYPTED value, note that additional authorizations are required, such as access to security profiles in the CSFSERV class, and additional profiles for PassTicket creation and PassTicket validation. Be sure to review the RACF setup requirements for the CCA product.
  3. To enable PassTicket creation for Resource Monitoring users, define the profile IRRPTAUTH.GPMSERVE.* in the PTKTDATA class, and set the universal access authority to NONE. You can do enable PassTicket creation for either for all user IDs or for a specific user ID, as shown in the examples that follow.
    • Example (for all user IDs): 
      RDEFINE PTKTDATA IRRPTAUTH.GPMSERVE.* UACC(NONE)
    • Example (for a specific user ID): 
      RDEFINE PTKTDATA IRRPTAUTH.GPMSERVE.specific_dds_login_userid UACC(NONE)
  4. Grant the z/OSMF started task user ID permission to generate PassTickets for users.
    • Example (for all user IDs): 
      PERMIT IRRPTAUTH.GPMSERVE.* CLASS(PTKTDATA) ID(passticket_creator_userid) 
ACCESS(UPDATE)
    • Example (for a specific user ID): 
      PERMIT IRRPTAUTH.GPMSERVE.specific_dds_login_userid CLASS(PTKTDATA) 
ID(passticket_creator_userid) ACCESS(UPDATE)
      where passticket_creator_userid is the user ID of the z/OSMF started task user ID. By default, this is IZUSVR.
  5. Activate the changes, for example: SETROPTS RACLIST(PTKTDATA) REFRESH
Parent topic: Updating z/OS for the Resource Monitoring Plug-in