z/OS Security Server RACF Macros and Interfaces
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Using the service to generate a PassTicket

z/OS Security Server RACF Macros and Interfaces
SA23-2288-00

To allow RACF® to authenticate a user with a PassTicket instead of a password, the non-RACF function performing the authentication calls the secured signon service to build a PassTicket.

The secured signon service:
  • Is branch-entered by callers.
  • Is not supported in cross-memory mode. Access register (AR) mode must use address space control (ASC).
  • Is not supported in SRB mode.
  • Requires that the caller be in key zero.

Before calling the secured signon service, the application must locate the address of the service. You can find this address from field RCVTPTGN in the RACF communications vector table (RCVT). The ICHPRCVT macro maps the RCVT and field CVTRAC points to it in the MVS™ communications vector table (CVT).

Parent topic: Generating and evaluating a PassTicket

How the secured signon service works

The service:
  • Uses standard linkage
  • Uses the current system time, expressed in Greenwich Mean Time (GMT), 1 as input for the algorithm
  • Returns the PassTicket in general purpose register 0 (the leftmost four characters) and general purpose register 1 (the rightmost four characters)
  • Provides return codes
    • If a PassTicket is produced, register 15 contains a return code of 0
    • If a PassTicket is not produced, register 15 contains return code of 8
Note:
  1. Register 13 must point to a standard save area.
  2. No additional recovery processing is provided by the secured signon service beyond what is already in effect within the invoking program.

Invoking the secured signon service

Following is an example of a generalized programming technique you can use with assembler language to invoke a service. It is not intended to be syntactically correct. 
L 15,RCVTPTGN
CALL (15),(userid,appname)
where:
userid
Is the RACF user ID of the user the PassTicket authenticates. This field is a maximum of 9 bytes. The first byte contains the length of the non-blank portion of the userid field that follows. Bytes 2 through 9 contain the user ID and must be in uppercase and left-justified in the field.
appname
Is the application name that the secured signon function uses to locate the secured signon key used in the PassTicket generator algorithm. (See z/OS Security Server RACF Security Administrator's Guide for information about determining application names.) This field is a maximum of 9 bytes. The first byte is the length of the non-blank portion of the appname field that follows. Bytes 2 through 9 contain the application name and must be in uppercase and left-justified in the field.

When the secured signon service is invoked, only the appname (not the userid or group) is used to locate the secured signon key.

1 GMT is also referred to as coordinated universal time (UTC).

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014