Typical Passtoken Configurations

The appropriate passtoken configuration depends on the needs of your installation, its security requirements, and administrator convenience. Here are some example passtoken configurations for typical installations:

No Passtokens

The most secure option is to disable passtokens entirely. That means users always have to sign on explicitly when entering security domains. Administrators have to log on to MFDS and ESMAC separately, and user identity is not automatically transferred over Inter-System Communication (ISC) links between enterprise server regions, for purposes such as CICS Transaction Routing.

There is no danger of passtokens being abused in this configuration.

Disable passtokens in the ESF Manager configuration in each Security Manager object in the MFDS repository, using the MFDS administration Web interface. See Passtoken Options for ESF Manager for more information.

Passtokens for MFDS and ESMAC

Administrators might find it convenient to enable passtokens for the MFDS and ESMAC administrative interfaces, especially since these two facilities provide links to each other, which makes it easy to switch between them. Because ESMAC runs as part of CAS within an enterprise server region, but MFDS is separate from any enterprise server region, they are in different security domains, despite those links; so without passtokens, the administrator has to log into each separately. With passtokens, an administrator can connect to MFDS or ESMAC, log in once, and then go between the two without losing access or having to log in again.

MFDS and ESMAC always use normal passtokens, so this feature can be enabled without enabling the more powerful and riskier surrogate tokens. See Access to Passtokens for more information.
Note: Micro Focus recommends that you do not use surrogate passtokens. Surrogate passtokens represent a possible security risk, any user who has permissions to create surrogate passtokens can impersonate any other user who is allowed to sign on using a surrogate passtoken.
To enable passtokens for MFDS and ESMAC, do not disable passtoken support in your ESF Manager configuration for the enterprise server region where you want passtoken support. The configuration is located in the Configuration Information field of the region's security tab.
Note: By default, passtoken support is enabled in the ESF Manager.

To use passtokens with MFDS and ESMAC, MFDS and the ES region you are administering must use the same security configuration. For example, you can set them both to use the Default ES Security configuration.

You might have to perform ESM-specific actions to enable normal passtoken generation and signon for your administrative users. With the MLDAP ESM Module, for each administrative user who should be able to switch between ESMAC and MFDS transparently, set the following attributes in the LDAP repository:

  • microfocus-MFDS-User-CreateToken to "self"
  • microfocus-MFDS-User-UseToken to "self"
Note: You do not need to do this for system users (such as SYSAD) unless you use them as administrator IDs. You only need to do it for user accounts with which your administrators actually sign into MFDS or ESMAC.

In its default configuration, MFDS does not require you to sign in. If you are not signed in, a passtoken is not generated when you switch to ESMAC. To use passtokens between MFDS and ESMAC, make sure you configure MFDS to require an administrative signon.

Passtokens for ISC

Customers who use the MTO Inter-System Communication (ISC) facility for CICS features such as Transaction Routing and Function Shipping between two enterprise server region may want to enable passtokens for that purpose. That lets the two CICS regions apply the same security context to all the operations performed by an application, even when they cross security domains.

Note that passtokens are not supported for ISC conversations with non-enterprise server regions, such as MFE or mainframe CICS.

ISC passtokens are surrogate passtokens generated automatically by the system as necessary. They are always generated by the region's system user, which is the user account used to start the region.

To enable ISC passtokens, do not disable passtoken support in your ESF Manager configuration for MFDS or enterprise server region where you want ISC passtoken support. The configuration is located in the Configuration Information field of the region's security tab.
Note: By default, passtoken support is enabled in the ESF Manager.

Also, you may have to perform ESM-specific actions to enable:

  • Surrogate passtoken generation by any user account used to start a region that makes ISC requests to another enterprise server region.
  • Surrogate passtoken signon for any user account that run a transaction that cause an ISC request, for example, by starting a transaction in another region.

For the MLDAP ESM Module, that entails:

  • For all user accounts used to start the region, set the LDAP user attribute microfocus-MFDS-User-CreateToken to any
  • For all user accounts that run CICS transactions that might cause an ISC request, set the LDAP user attribute microfocus-MFDS-User-UseToken to any

If the regions use different LDAP repositories, note that the system user account (the one generating the token) belongs to the region that initiates the request, and the regular user account (which is signed on using the token) belongs to the region that processes the request.

Passtokens for multi-factor authentication

Customers who want to make use of the multi-factor authentication for logging on to the mainframe without providing a username and password need to enable passtokens.

Multi-factor authentication makes use of RACF-style passtokens for logins, also referred to here as short passtokens. These short passtokens are generated by the Digital Certificate Access Server (DCAS). They enable the user log on to CICS in the enterprise server region where the passtoken was generated.

To enable passtokens, do not disable passtoken support in your ESF Manager configuration for the enterprise server region where you want passtoken support.. This configuration is located in the Configuration Information field of the region's security tab.
Note: By default, passtoken support is enabled in the ESF Manager.

You might have to perform ESM-specific configuration to enable passtoken generation and sign-on for your users. With the MLDAP ESM Module, For each user who wants to use multi-factor Authentication, set the following attributes in the LDAP repository to:

  • microfocus-MFDS-User-CreateToken to "self"
  • microfocus-MFDS-User-UseToken to "self"