About site: Software/Operating Systems/Mainframe/IBM/Freeware - PassTicket
Return to Computers
  About site: http://os390-mvs.freesurf.fr/passtkt.htm

Title: Software/Operating Systems/Mainframe/IBM/Freeware - PassTicket A demonstration program by IBM's Thierry Falissard, demonstrating the RACF PassTicket concept.
Planet_MVS_Freeware z/OS software written by David Alcock, including ISPF applications, ISPF edit macros, Assembler and REXX programs and utilities.

RACF_Sample_Utilities A dozen IBM tools, utilities and applications supplied with source code to allow customization.

Rob_Scott\'s_z/OS_Resources System Programmer utilities, REXX functions written in Assembler and sample batch job step termination exit. Plus MVS eXtended Information (MXI), an ISPF-based application that displays z/OS configura

SimoTime_Downloads z/OS COBOL, Assembler, JCL, VSAM and QSAM sample code with some fully functional utilities.

Taltyman_Downloads ISPF-based utilities for z/OS.

TASID ISPF-based monitor of z/OS.


  Alexa statistic for http://os390-mvs.freesurf.fr/passtkt.htm





Get your Google PageRank






Please visit: http://os390-mvs.freesurf.fr/passtkt.htm
  Related sites for http://os390-mvs.freesurf.fr/passtkt.htm
    TPF_Tools IBM downloadable software for the Transaction Processing Facility (TPF) mainframe operating system.
    VM_Workshop_Tools Links to four years (1995-98) of Tool Tapes from the VM Workshop. Documentation and the software can be searched and downloaded.
    VSE/ESA_Downloads Downloadable documents, utilities and sample code from IBM.
    VSE/ESA_e-business_Connectors_and_Utilities Downloadable VSE/ESA software and documentation. Many are Java-based.
    z/OS_Freeware_by_Lionel_B__Dyck Free software tools for both systems programmers and end users.
    z/OS_UNIX_System_Services_Tools_and_Toys Performance tools, ported tools, z/OS UNIX tools and code samples from IBM and other vendors.
    z/VM_Download_Library A 400 item IBM repository of tools, documentation and utilities from IBM and individuals outside the corporation.
    ABIS_Training_and_Consulting Mainframe training and consulting in French, Dutch and English. With offices in Belgium and the Netherlands.
    ACTS_Corporation z/OS and zSeries implementation, migration, upgrades, performance, tuning and capacity planning. Unix system administration for z/OS Unix System Services, mainframe and other Linux, AIX, HP-UX and Sol
    Ajilon_Learning Technical computing training, including VSE, z/OS Unix System Services, and both IBM and non-IBM mainframe systems software. Computer-based training, competency assessment and classroom courses.
    Alicomp Mainframe (z/OS, z/VM, VSE/ESA and zLinux) and open systems data center outsourcing services, including disaster recovery and business continuity with an emphasis on hospital and insurance organizatio
    Arcati Mark Lillycrop's UK-based company offers IT research, writing and marketing services, specializing in business continuity, security, service management, storage and mainframe data center strategy in E
    Barnett_Network_Strategies Chicago-area Consultant. Installs CICS, MVS, OS/390, and z/OS. Systems programming of mainframe products: maintain, tune, audit, strategize, and advise.
    Best_Customer_Solutions Specialists in maintaining, upgrading and enhancing mainframe systems software. Including several formalized, field-tested service offerings.
    BETA_Services Specializes in maintaining mainframe applications, either on-site in the Philadelphia to New York City corridor, or telecommuting anywhere in the world.
    Blue_True_Software Lars Ritzman's Swedish consulting firm offering z/OS systems programming, specializing in IMS.
    Bridgestone_Firestone_Information_Services_(BFIS) Facilities management, outsourcing, systems programming, application performance tuning and disaster recovery services. Subsidiary of the tire manufacturer.
    Cassidy_IT_Services European z/VM, z/Linux, z/OS, VSE/ESA, CICS/TS, mainframe and Websphere systems consultancy.
    Circle_Computer_Group DB2 and CICS migration specialists, combining software and services for: IMS to DB2, VSAM to DB2, CA-IDMS to DB2, ADABAS to DB2, CA-Datacom to DB2, Total/Supra to DB2 and IMS/TM to CICS.
    Circle_Computer_Group,_LLC U.S. training, consulting and software education in Application development, z/OS, WebSphere, Networks and MQSeries.
    Cobbs_Mill_Consulting z/OS, z/VM and VSE systems programming, training and Assembler. Specialists in Phoenix's Key/Master data entry system. Based in Asheville, North Carolina.
    Competency_Measurement_and_Training Competency based learning and assessment system to measure skills and knowledge of IT Support personnel.
    Compustar_Data_Systems z/OS Systems Programmers, Joanna Gordon and Mark Conner, provide consulting services from Dallas, Texas.
    Computer_Business_International Consulting and training company offering DB2, mainframe programming, security and Unix courses.
    Computer_Savings_Corporation Buys and sells hardware, including IBM mainframe systems and components.
    Cornerstone_Systems,_Inc An IBM partner/reseller and Lotus Notes business partner offering a variety of products and services for eserver zSeries running z/OS, z/VM and VSE/ESA operating systems.
    Corporate_Communications_Interactive CCI bundles nearly 40 mostly-z/OS courses, offering them through distributors, inexpensively on CD-ROM or Web-based.
    CPR_Systems Specializing in VSE/ESA training, with consulting also available.
    DacWorks Public and in-house training courses in CICS/TS, CICS Web programming, HTML, XML, SOAP, Java and WebSphere. Also offers CICS/TS consulting services.
    Dana_A__Rothrock System Performance Engineer for IBM mainframe Systems programming, database and application development, and mainframe tuning.
    Data_Dallas_Corp_(DDC) Internet access to a mainframe; z/OS time-sharing, including TSO, CICS, DB2, SAS, via Internet: tn3270 and ftp. Also, media conversion, laser printing, and mailing and direct marketing services.
    Data_Kinetics Canadian company providing mainframe courses, table management software, software testing and consulting.
    DataBase_Consulting_Services_(DBCS) PeopleSoft consulting, performance tuning and education. Specializing in z/OS DB2 implementations of PeopleSoft software.
    Datatrain_CBT Datatask's computer-based training for z/OS and VSE/ESA.
    Discovery_Video_Instruction_Products_(VIP) CD-ROM-based training containing 36 mainframe OS/390 courses. Includes one z/VM course.
    ECHO_Associates Based in Vienna, Virginia, specializing in TPF (Transaction Processing Facility) consulting.
    EDS_Managed_Mainframe_Services EDS’ managed mainframe services provide you with a spectrum of mainframe IT solutions for the IBM z/series platform in a data center environment. Includes managed services and IT mainframe outsourci
    Enterprise_Builders_Support_Systems Consulting services and training for BMC Software's CONTROL-M, CONTROL-D, and other mainframe IOA products.
    Hitachi_Data_Systems__Education HDS offers both vendor-neutral and HDS-specific education worldwide, much of it relevant to their mainframe storage and software products.
    IBM___Business_Continuity_and_Recovery_Services_(BCRS) IBM Global Services Consulting: Business Continuity and Recovery Services for IBM Mainframe (z/Series) and open systems environments.
This is now2007.com cache of m/ as retrieved on 2009.01.09 now2007.com's cache is the snapshot that we took of the page as we crawled the web. The page may have changed since that time.
The RACF PassTicket Page -------------------------------------------------------------------------------------------------------------------------

The RACF PassTicket Page

H O M E

(The term "PassTicket" has been invented by IBM) Last update : 1 March 2003 The aim of this page is to promote the RACF PassTicket concept. It was made out of personal research, excerpts of the IBM doc and of various newsgroups (mainly RACF-L, where specialists abound, to whom I am deeply indebted). Quick link to the free offering :PTKTGEN. A Cryptanalysis of the Passticket algorithm, discussion about an attack (updated March 1, 2003). Security Server PDF files for z/OS V1R4.0. The PassTicket algorithm is described in "Security Server RACF, Macros and Interfaces", Chapter 11, "The RACF Secured Signon PassTicket". What is a PassTicket ? An alternative to the RACF password that permits workstations and client machines to communicate with the host. It allows a user to gain access to the host system without sending the RACF password across the network. What mechanisms for user authentication does OS/390 provide ? Traditional OS/390 userid and password (the "regular" RACF password) PassTickets (more on this later) DCE authentication Digital Certificates Two additional user authentication methods could be a Kerberos implementation and the use of hashed passwords. More info on IBM's page : Security Facilities - Authenticating Users. So it replaces the regular RACF password ? Yes and no. The regular RACF password is still usable. The Passticket is valid for a period of plus or minus 10 minutes (as measured on the GMT clock of the "central" system). It cannot be replayed. It is always a 8-character string (for example 4UZ5PX9A could be the value of a Passticket). Why is it safer than regular RACF passwords ? RACF PassTickets are cryptographically-generated, single-use, short-lifespan password substitutes. They are inherently more secure than passwords. When was it invented ? I believe it was with RACF 1.9.2 (remember restructured databases ?). Afterwards, RACF 2.2 allowed use of user IDs and group IDs in PTKTDATA profiles for better granularity of the secret keys. How does RACF recognize it is a PassTicket, not a "regular" password ? But in fact it cannot ! If RACF authenticates a password field and determines that it is not the RACF password for the user ID, RACF may perform a second authentication step to determine whether the password field is a valid PassTicket (this is why you may see 2 RACF messages in the LOG if it is invalid). A PassTicket is considered to be within the valid time range when the time of generation (with respect to the clock on the generating computer) is within plus or minus 10 minutes of the time of evaluation (with respect to the clock on the evaluating computer). Which security monitors recognize PassTickets ? PassTickets can be recognized by RACF, ACF2 and TopSecret. How do you make use of it ? : connecting to your site from the outside world (ftp, telnet) : this avoids the security hazard of a password being transmitted across the network in clear text ; CICS : submitting a job under a user's authority without prompting the user for his password ; "lending" a userid to a colleague during some time (not tested and not approved !!) ; submitting jobs via NJE to other nodes ; (it is recommended that your MVS or OS/390 systems be running with MVS GMT = real GMT) ; avoiding coding of passwords in clear in batch jobs or in input data (FTP commands in a batch job) ; etc. Can a PassTicket be used to access any application on my system ? The PassTicket applies to only one application (unlike the "regular" password). The algorithm that generates the PassTicket is a function of: The user ID of the client The application ID (CICS applid, IMSid, etc) A secured sign-on application key, known to both sides A time and date stamp What is this "secured sign-on key" ? To be able to generate a PassTicket, you need to define a shared key or secret between the systems on which the client and the security server are running. This key depends on the application and optionally (and hopefully) on the user. Where does the application id come from ? It is the same as the profile you would put in the RACF APPL class for protecting the access to the application. For TSO, it is TSO + SMF ID. Applications that don't specify an APPL parameter get a default APPL, for PassTicket purposes only, of "MVS" followed by the system's SMF ID. This works also for batch jobs. For USS applications, such as Websphere, FTP, etc., the application name is OMVSAPPL. How do you generate a PassTicket ? If it's on Mainframe, then you can use the generation routine that RACF (and TSS 5.0 and ACF2 6.2) provides. Here is an example : * PASSTICKET GENERATION GEN DS 0H SETAMOD 31 MODESET KEY=ZERO,MODE=SUP L R15,16 Get pointer to CVT USING CVT,R15 Make CVT addressable L R15,CVTRAC Get pointer to RACF CVT (RCVT) USING RCVT,R15 Make RCVT addressable L R15,RCVTPTGN Get pointer to PassTicket rtn CALL (15),(USERID,APPNAME) Call PassTicket generator ST R15,RC SAVE RETURN-CODE STM R0,R1,PTKTFLD Store PassTicket in PTKTFLD MODESET KEY=NZERO,MODE=PROB SETAMOD 24 * DATA DS 0D PTKTFLD DS CL8 USERID DS 0CL9 Userid Structure: USERIDL DS AL1(7) -> NUMBER OF USERID CHARACTER USERIDN DS CL8'IBMUSER ' APPNAME DS 0CL9 APPL Name Structure: APPNAMEL DS AL1(4) -> NUMBER OF APPNAME CHARACTER APPNAMEN DS CL8'IMS1 ' RC DS F Return Code LTORG CVT DSECT=YES,LIST=NO ICHPRCVT *----------------------------------------------------------------------* * Return Code + Description * *-----------------+----------------------------------------------------* * 0 Successful completion. The resulting session key is* * contained in general purpose registers 0 and 1. * *-----------------+----------------------------------------------------* * 4 Incorrect PassTicket * *-----------------+----------------------------------------------------* * 8 No PTKTDATA profile found for the application * *-----------------+----------------------------------------------------* * C No task or address space ACEE found, and the ACEE * * pointer was not specified on the input parameter * * list. * *-----------------+----------------------------------------------------* * 10 Caller is not authorized * *-----------------+----------------------------------------------------* * 14 The RACF PTKTDATA class is not active * *-----------------+----------------------------------------------------* The CICS Front End Programming Interface (FEPI), an integral part of CICS, may also be used to generate a PassTicket : EXEC CICS FEPI REQUEST PASSTICKET requests the external security manager to supply a PassTicket. If you're talking about other platforms, then you have several options: Write your own generation routine, using the algorithm documented in RACF Macros and Interfaces (not an easy stuff, however I have done it, see below). Buy a commercial package that generates PassTickets on the desired platform. Seek for a wider solution, that will give you not only PassTickets for a specific platform, but a complete enterprise solution - a single sign-on product (the Holy Graal of Security). Many single sign-on products support RACF PassTickets. What should be done on RACF to implement PassTickets ? activate the passticket class : SETROPTS CLASSACT(PTKTDATA) SETROPTS RACLIST(PTKTDATA) define a profile for the userid + application : RDEFINE PTKTDATA appl.group.userid - SSIGNON(KEYMASKED(0123456789abcdef)) where appl is to be replaced by the application name (CICS, TSO+SMFID, etc.) group and userid are the RACF group and userid, and 0123456789abcdef (the Secured Signon application key) should be replaced by a valid 16-digit secret key. Note that appl.group.userid can also be replaced by appl.userid if the connection group does not matter. refresh the class : SETR REFRESH RACLIST(PTKTDATA) Now, the PassTicket generator must know the userid, the application name and the Secured Signon application key (which is the "secret factor" that must be kept in security). IBM has also offered the possibility to replay the same Passticket. Although it defeats part of the security brought by the Passticket facility, it may help some sites faced to its limitations (a generator can generate only one Passticket per user per second, so if you try to logon twice within a second interval, you are forced to use the same Passticket). RACF requires then the PTKTDATA profile to specify APPLDATA('NO REPLAY PROTECTION.'). What are "qualified" and "unqualified" PassTicket profiles ? PassTicket profile names can be "qualified" with the user's group name and user ID. An application is no longer limited to a single key (as prior to RACF 2.2), but can now have different keys for different groups and users. Use of qualified PassTicket profile names is optional in that unqualified (application name only) PTKTDATA profiles can be used. In fact, it is possible to have both a qualified PTKTDATA profile name appropriate for a given user who is being authenticated and an unqualified profile name for the same application. In this case RACF uses either key in either profile to evaluate the PassTicket. We have been trying to implement PassTickets, but it does not work ! The passticket may not work because : it has been generated more than 10 minutes ago ; The user or application name as seen by the PassTicket generator is wrong ; at V2R10 with PTF for APAR OW44393 installed, if your OS/390 system is configured to use VTAM generic resources for TSO then you need to use the VTAM generic as your application name. Otherwise (earlier releases, V2R10 without that PTF, or not configured for VTAM generics) you need to use an application name of TSO || SMF ID (thanks to Walt Farrell who posted this in IBM-Main on Dec 10th, 2001). your PC/Unix/etc. is not synchronized with the mainframe (local times / GMT times are too different) ; the Secured Signon application key as seen by the PassTicket generator is wrong, or has been changed on MVS by the RACF administrator. there is a bug in the PassTicket generator ! (the least probable) The most common cause for problems with PassTicket verification is differences in time settings. Since your PassTickets are created on a UNIX or Windows (or etc.) machine and are verified by RACF on an S/390, you must take care that both machines have the same notion of UTC (Universal Coordinated Time, aka. Greenwich Mean Time). On your UNIX server, check the TZ setting and make sure it is set to the right time zone. On your OS/390 or MVS system, you have two time sources: the TOD clock and the local time. The TOD clock must be set to UTC, the local time must be set to the correct offset from UTC and the offset needs to be changed in the CLOCKxx member in SYS1.PARMLIB. PassTickets are created with a UTC timestamp. If the system that creates the PassTicket has a different notion of UTC than the system that verifies the PassTicket, you'll never get a match. My offering My offering is a RACF Passticket generator for Windows, a software-only implementation of a RACF Passticket generator : "PTKTGEN". Highlights : - PTKTGEN is written in REXX ; it invokes a freeware product for encryption functions. I have used Regina Rexx from Beyond.com, but I think other REXXes should also work. - For the moment, PTKTGEN runs in a DOS window, but I plan to provide a more "flashy" interface in the weeks/months to come, the main point was first to efficiently generate the passticket... - It is delivered in a PTKT.ZIP file (210 Kb). Instructions are provided in the README.TXT file. The 09/09/2001 bug has striken ! You will get an error in PTKTGEN.REX because more than 1 billion seconds have elapsed since 1/1/1970 (1 billion = 1000000000 represents 10 digits, and REXX by default handles only 9 digits : "numeric digits 9" is the default value). The fix consists simply in adding in PTKTGEN.REX a statement : "numeric digits 20" before the "datesec" variable is used. Conditions : - I grant you the right to use PTKTGEN provided that only ONE copy of PTKTGEN is used in your company. For multiple copies, contact me. Warning : on the PC, Secured Signon application keys are stored in a "userid.INI" file (where userid is the RACF userid). This is sensitive information that you should protect. This is why I call PTKTGEN an "unsecure Passticket generator". It is assumed that the secret Secured Signon application keys (stored in userid.INI) can not easily be compromised. These keys, once compromised, would allow ANYBODY to generate passtickets and to use your userid. A possible solution is to store the userid.INI file on a disquette that you keep in security. Copy the userid.INI file on the disquette, scratch the hard disk version, and update PTKTGEN.REX suppressing the line : " path_for_keys = '.\' " to force it to read the version on disquette. Top of page Back to home page function open(){} window.open('http://banniere.freesurf.fr/pop.php','Tag','width=468,height=60,resizable=no,menubar=no,toolbar=no,status=no,scrollbars=no,top=220,left=220');
 

A

demonstration

program

by

IBM's

Thierry

Falissard,

demonstrating

the

RACF

PassTicket

concept.

http://os390-mvs.freesurf.fr/passtkt.htm

PassTicket 2009 January

dvd rental

dvd


A demonstration program by IBM's Thierry Falissard, demonstrating the RACF PassTicket concept.

Rules

© 2005 Internet Explorer 5+ or Netscape 6+
Recommended Sites: 1. Arts - Business - Computers - Games - Health - Home - Kids and Teens - News - Recreation - Reference - Regional - Science - Shopping - Society - Sports - World Miss Gallery - Top Anime Hentai - DVD rental by mail - Mobile Phone - Loans - Tesco - Car Finance - Debt Consolidation
2009-01-09 01:36:47

Copyright 2005, 2006 by Webmaster
Websites is cool :)