The appropriate passtoken configuration depends on the needs of your installation, its security requirements, and administrator convenience. Here are some example passtoken configurations for typical installations.
The most secure option is to disable passtokens entirely. That means users will always have to sign on explicitly when entering security domains. Administrators will have to log on to MFDS and ESMAC separately, and user identity will not be automatically transferred over Inter-System Communication (ISC) links between ES regions, for purposes such as CICS Transaction Routing.
However, there is no danger of passtokens being abused in this configuration.
Disable passtokens in the ESF Manager configuration in each "Security Manager" object in the MFDS repository, using the MFDS administration GUI. See Passtoken Options for ESF Manager.
Many administrators will find it convenient to enable passtokens for the MFDS and ESMAC administrative interfaces, especially since those two facilities provide links to each other, which makes it easy to switch between them. Because ESMAC runs as part of CAS within an Enterprise Server region, but MFDS is separate from any Enterprise Server region, they are in different security domains, despite those links; so without passtokens, the administrator has to log into each separately. With passtokens, an administrator can connect to MFDS or ESMAC, log in once, and then go between the two without losing access or having to log in again.
MFDS and ESMAC always use normal passtokens, so this feature can be enabled without enabling the more powerful (and riskier) surrogate tokens.
To enable passtokens for MFDS and ESMAC, do not disable passtoken support in your ESF Manager configuration (the "Custom Configuration" section of the "Security Manager") for MFDS or any ES region where you want this facility. Passtoken support is enabled in ESF Manager by default.
To use passtokens with MFDS and ESMAC, MFDS and the ES region you are administering must use the same security configuration. For example, you can set them both to use the Default ES Security configuration.
You might have to perform ESM-specific actions to enable normal passtoken generation and signon for your administrative users. With the MLDAP ESM Module, for each administrative user who should be able to switch between ESMAC and MFDS transparently, set the following attributes in the LDAP repository:
In its default configuration, MFDS does not require you to sign in. If you are not signed in, no passtoken will be generated when you switch to ESMAC. To use passtokens between MFDS and ESMAC, make sure you configure MFDS to require an administrative signon.
Customers who use the MTO Inter-System Communication (ISC) facility for CICS features such as Transaction Routing and Function Shipping between two Enterprise Server regions may want to enable passtokens for that purpose. That lets the two CICS regions apply the same security context to all the operations performed by an application, even when they cross security domains.
Note that passtokens are not supported for ISC conversations with non-Enterprise Server regions, such as MFE or mainframe CICS.
ISC passtokens are surrogate passtokens generated automatically by the system as necessary. They are always generated by the region's system user, which is the user account used to start the region.
To enable ISC passtokens, do not disable passtoken support in your ESF Manager configuration (the "Custom Configuration" section of the "Security Manager") for MFDS or any Enterprise Server region where you want this facility. Passtoken support is enabled in ESF Manager by default.
Also, you may have to perform ESM-specific actions to enable:
For the MLDAP ESM Module, that entails:
If the regions use different LDAP repositories, note that the system user account (the one generating the token) belongs to the region that initiates the request, and the regular user account (which is signed on using the token) belongs to the region that processes the request.