Define a PassTicket Profile for Each Application

A RACF PTKTDATA (PassTicket data class profile) must be created for each application ID that will support PassTickets. This profile enables the DCAS server to obtain a PassTicket for the application and user ID, and to pass it back to the client that requested the PassTicket from DCAS. This profile name must match the RACF PTKTDATA application name that is configured on the host. This name could be the same as the application name that the user is logging onto (for example, the name on USSMSG10).

When creating PTKTDATA profiles for applications such as TSO, the application name portion of the profile will most likely not be the same. For example, RACF requires that the application ID portion of the profile name be TSO+SID. Refer to z/OS Security Server RACF Security Administrator's Guide (in References) to determine the correct profile naming.

You must create these profiles on each separate RACF system (the system where the users will be logging on to) that contains target applications for Automated Sign-on for Mainframe. The PTKTDATA class profile defined in the "target" RACF system must match the PTKTDATA class profile in the system where the PassTicket is created, which is the system where the DCAS server executes. These PTKTDATA class profiles need to have corresponding profile names and identical secret keys (defined using the KEYMASKED parameter).

Here is an example of a PassTicket data class profile for the application TSORUS (the KEYMASKED value is a hexadecimal string of your choice):

The APPLID name must be correct. For example, for TSO, the profile is TSO+SID. The SID is the SMF system id that is defined in the SMFPRMxx member in SYS1.PARMLIB. For more information on defining PassTicket profiles, refer to the z/OS Security Server RACF Security Administrator's Guide (see References).