In the ever-evolving landscape of mainframe security, the importance of robust authentication mechanisms cannot be overstated. Recognizing the need for enhanced security, IBM Z System Automation 4.3 has delivered a new function in APAR OA64126 – which enhanced the INGOMX command to exploit RACF PassTickets to authenticate the user that attempts to log in to OMEGAMON or make a SOAP request. This feature avoids storing passwords in the System Automation policy database or managing passwords by using System Automation's password data set.
Understand RACF PassTicket: an alternative to password
The RACF PassTicket is a one-time-only password generated by a requesting product or function. It is an alternative to traditional RACF passwords and password phrases, eliminating the need to transmit sensitive password information across the network in clear text. It is a character value that looks like a password and is accepted and validated by RACF as if it is a normal password. PassTickets are useful in situations where a trusted application must pass a client's RACF user ID and “password” to another application, but the trusted application doesn't have the client's RACF password. For more information about PassTicket, see “Using PassTickets” in z/OS Security Server RACF Security Administrator's Guide.
Benefits of OMEGAMON PassTicket support in IBM Z System Automation
Logging on to OMEGAMON or to the SOAP server when the Hub TEMS is running on z/OS requires authentication with a user ID and password if product-level security is active. The INGOMX command performs all interactions with either the OMEGAMON classic monitors or with the Hub TEMS. Previously, for an OMEGAMON session, the userid is stored in the OMEGAMON SESSION policy; and the password is specified in the policy in clear text or typically stored in the encrypted password vault accessible through INGPW. For a SOAP request authentication, password management is the same way when the SOAP server is defined in the policy. For more information, see Password Management in IBM Z System Automation Planning and Installation.
However, this password store is duplicate and on top of what the security product already knows. When passwords are automatically changed every 30 days, it is very cumbersome to synchronize this with the official password data base in RACF.
On top of the existing password management capabilities, APAR OA64126 introduces the support to generate PassTickets for authentication.
You can get the following benefits using this new feature:
Simplified password management: Through exploiting PassTickets, there is no need any more to maintain the encrypted password vault and worry about RACF data base synchronizations when passwords must change after their validity period.
Enhanced security: PassTickets are short-living temporary passwords which can prevent them from being captured for unauthorized access.
Coherent security strategy: This enhancement also leads to a more coherent security strategy that avoids one-offs and instead concentrates around the existing security product, such as RACF.
How to use the PassTicket function in IBM Z System Automation 4.3
To use the PassTicket function, create the required PTKTDATA class profile and grant access to appropriate users to call the INGOMX command. For detailed steps, refer to Authentication using PassTickets in IBM Z System Automation Planning and Installation.
Update the policies. A new field SAF applid and a new PTKT keyword under the Password field are added into OMEGAMON Session Attributes and SOAP Server policies.
To use PassTickets for OMEGAMON classic sessions, specify the SAF application ID and the new keyword PTKT as the password in the OMEGAMON SESSIONS Policy Item. When the SAF application ID and the predefined value PTKT are specified, IBM Z System Automation can obtain a RACF PassTicket used for authentication.
To use PassTickets for SOAP requests, specify the SAF application ID and the new keyword PTKT as the password in the SOAP SERVER Policy Item if the SOAP server is defined in the policy. If the SOAP server is not defined in the policy, specify the credentials in the INGOMX command line.
If you have any questions about this feature, feel free to leave your comments.
Get connected with other users