It works the same in ACF2. The passticket generator has no idea that the logonid is restricted (or protected) so a passticket is generated. However, passwords and by extension passtickets, are not allowed for these logons and so the request is appropriately rejected. Set a complex non-expiring password on the logonid and then use passtickets to your heart's content.
-- Donald Grinsell State of Montana 406-444-2983 [email protected] "A wonderful fact to reflect upon, that every human creature is constituted to be that profound secret and mystery to every other." -- Charles Dickens (1812-70) -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Tom Ambros Sent: Tuesday, 07 February 2012 15:34 To: [email protected] Subject: Re: RACF Passticket: password required on userid? I submitted an SR and the word I get from RACF L2 is that RACF simply won't evaluate a protected userid, logon is rejected unconditionally. I understand that this is documented as a basic principle. I am going to have to puzzle over the implications of allowing a protected userid to use passtickets, I am not immediately seeing what exposure would be introduced. At any rate, I have what it takes to proceed. Thanks... Thomas Ambros Operating Systems and Connectivity Engineering 518-436-6433 From: Charles Mills <[email protected]> To: [email protected] Date: 02/07/2012 17:27 Subject: Re: RACF Passticket: password required on userid? Sent by: IBM Mainframe Discussion List <[email protected]> I am not familiar with IKE or NSS but I am something of a PassTicket expert IMHO. PassTickets are essentially an alternative to passwords. They are password-like; they do not depend on passwords. No password is input to the algorithm. The closest thing is the "stored secure application key" (name from memory) which is 16 hex digits. There are three inputs: - stored secure application key - current time of day - application name In my experience the second is a small gotcha and the third is a big gotcha. Are there two systems in your picture? Are both of their clocks set to Zulu time, and fairly accurately? Are you *sure* you have the application name correct. It is a HUGE gotcha. A wild guess is the reason it works with a password is because the password itself is being used for successful authentication, not the PassTicket. Well, you say that's not so. I don't know. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Tom Ambros Sent: Tuesday, February 07, 2012 1:50 PM To: [email protected] Subject: RACF Passticket: password required on userid? Forgive me for posting this here, it belongs on the RACF list I am sure but I do not have that address handy to register. It may be a simple enough question that it can be answered here. I am attempting to use the passticket authentication method for the IKE client to NSS. If I define a password on the client, no problem. IKE establishes a connection to the NSS task, I verify I use the Passticket: RACFQUAL 132:SUCC INIT USING PASSTICKET from an MXG SAS interpretation of SMF 80. If I remove the password from the client, ICH408I Invalid Password. I find no documentation that indicates it is input to the algorithm nor any documentation that a user employing passtickets requires a password. Why is a password necessary? with 'No Promotional E-mails' in the SUBJECT line. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information. 127 Public Square, Cleveland, OH 44114 If you prefer not to receive future e-mail offers for products or services from Key send an e-mail to mailto:[email protected] with 'No Promotional E-mails' in the SUBJECT line. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
