The RACF PassTicket Page

The aim of this page is to promote the RACF PassTicket concept. It was made out of personal research, excerpts of the IBM doc and of various newsgroups (mainly RACF-L, where specialists abound, to whom I am deeply indebted).

Quick link to the free offering :PTKTGEN.

A Cryptanalysis of the Passticket algorithm, discussion about an attack (updated March 1, 2003).

Security Server PDF files for z/OS V1R4.0. The PassTicket algorithm is described in "Security Server RACF, Macros and Interfaces", Chapter 11, "The RACF Secured Signon PassTicket".

1. What is a PassTicket ?

   An alternative to the RACF password that permits workstations and client machines to communicate with the host. It allows a user to gain access to the host system without sending the RACF password across the network.

2. What mechanisms for user authentication does OS/390 provide ?
   1. Traditional OS/390 userid and password (the "regular" RACF password)
   2. PassTickets (more on this later)
   3. DCE authentication
   4. Digital Certificates

   Two additional user authentication methods could be a Kerberos implementation and the use of hashed passwords. More info on IBM's page : Security Facilities - Authenticating Users.

3. So it replaces the regular RACF password ?

   Yes and no. The regular RACF password is still usable. The Passticket is valid for a period of plus or minus 10 minutes (as measured on the GMT clock of the "central" system). It cannot be replayed. It is always a 8-character string (for example 4UZ5PX9A could be the value of a Passticket).

4. Why is it safer than regular RACF passwords ?

   RACF PassTickets are cryptographically-generated, single-use, short-lifespan password substitutes. They are inherently more secure than passwords.

5. When was it invented ?

   I believe it was with RACF 1.9.2 (remember restructured databases ?). Afterwards, RACF 2.2 allowed use of user IDs and group IDs in PTKTDATA profiles for better granularity of the secret keys.

6. How does RACF recognize it is a PassTicket, not a "regular" password ?

   But in fact it cannot !

   If RACF authenticates a password field and determines that it is not the RACF password for the user ID, RACF may perform a second authentication step to determine whether the password field is a valid PassTicket (this is why you may see 2 RACF messages in the LOG if it is invalid).

   A PassTicket is considered to be within the valid time range when the time of generation (with respect to the clock on the generating computer) is within plus or minus 10 minutes of the time of evaluation (with respect to the clock on the evaluating computer).

7. Which security monitors recognize PassTickets ?

   PassTickets can be recognized by RACF, ACF2 and TopSecret.

8. How do you make use of it ? :
   1. connecting to your site from the outside world (ftp, telnet) : this avoids the security hazard of a password being transmitted across the network in clear text ;
   2. CICS : submitting a job under a user's authority without prompting the user for his password ;
   3. "lending" a userid to a colleague during some time (not tested and not approved !!) ;
   4. submitting jobs via NJE to other nodes ; (it is recommended that your MVS or OS/390 systems be running with MVS GMT = real GMT) ;
   5. avoiding coding of passwords in clear in batch jobs or in input data (FTP commands in a batch job) ;
   6. etc.

9. Can a PassTicket be used to access any application on my system ?

   The PassTicket applies to only one application (unlike the "regular" password).

   The algorithm that generates the PassTicket is a function of:

   1. The user ID of the client
   2. The application ID (CICS applid, IMSid, etc)
   3. A secured sign-on application key, known to both sides
   4. A time and date stamp

10. What is this "secured sign-on key" ?

    To be able to generate a PassTicket, you need to define a shared key or secret between the systems on which the client and the security server are running. This key depends on the application and optionally (and hopefully) on the user.

11. Where does the application id come from ?

    It is the same as the profile you would put in the RACF APPL class for protecting the access to the application. For TSO, it is TSO + SMF ID.

    Applications that don't specify an APPL parameter get a default APPL, for PassTicket purposes only, of "MVS" followed by the system's SMF ID. This works also for batch jobs.

    For USS applications, such as Websphere, FTP, etc., the application name is OMVSAPPL.

12. How do you generate a PassTicket ?

    If it's on Mainframe, then you can use the generation routine that RACF (and TSS 5.0 and ACF2 6.2) provides. Here is an example :

    * PASSTICKET GENERATION                                              
    GEN      DS     0H                                                   
             SETAMOD 31                                                  
             MODESET KEY=ZERO,MODE=SUP                                   
             L      R15,16                 Get pointer to CVT            
             USING  CVT,R15                Make CVT addressable          
             L      R15,CVTRAC             Get pointer to RACF CVT (RCVT)
             USING  RCVT,R15               Make RCVT addressable         
             L      R15,RCVTPTGN           Get pointer to PassTicket rtn 
             CALL   (15),(USERID,APPNAME)  Call PassTicket generator     
             ST     R15,RC                          SAVE RETURN-CODE     
             STM    R0,R1,PTKTFLD         Store PassTicket in PTKTFLD    
             MODESET KEY=NZERO,MODE=PROB                                 
             SETAMOD 24                                                  
    * DATA                                                               
             DS    0D                                                    
    PTKTFLD  DS    CL8                                                   
    USERID   DS    0CL9            Userid Structure:                     
    USERIDL  DS    AL1(7)          ->   NUMBER OF USERID CHARACTER       
    USERIDN  DS    CL8'IBMUSER '                                           
    APPNAME  DS    0CL9            APPL Name Structure:                    
    APPNAMEL DS    AL1(4)          ->   NUMBER OF APPNAME CHARACTER        
    APPNAMEN DS    CL8'IMS1    '                                   
    RC       DS    F               Return Code        
             LTORG                                                         
             CVT DSECT=YES,LIST=NO                                         
             ICHPRCVT 
    
    *----------------------------------------------------------------------*
    * Return Code     +       Description                                  *     
    *-----------------+----------------------------------------------------*
    * 0                 Successful completion. The resulting session key is*
    *                   contained in general purpose registers 0 and 1.    *
    *-----------------+----------------------------------------------------*
    * 4                 Incorrect PassTicket                               *
    *-----------------+----------------------------------------------------*
    * 8                 No PTKTDATA profile found for the application      *
    *-----------------+----------------------------------------------------*
    * C                 No task or address space ACEE found, and the ACEE  *
    *                   pointer was not specified on the input parameter   *
    *                   list.                                              *
    *-----------------+----------------------------------------------------*
    * 10                Caller is not authorized                           *
    *-----------------+----------------------------------------------------*
    * 14                The RACF PTKTDATA class is not active              *
    *-----------------+----------------------------------------------------*
    
    

    The CICS Front End Programming Interface (FEPI), an integral part of CICS, may also be used to generate a PassTicket : EXEC CICS FEPI REQUEST PASSTICKET requests the external security manager to supply a PassTicket.

    If you're talking about other platforms, then you have several options:

    1. Write your own generation routine, using the algorithm documented in RACF Macros and Interfaces (not an easy stuff, however I have done it, see below).
    2. Buy a commercial package that generates PassTickets on the desired platform.
    3. Seek for a wider solution, that will give you not only PassTickets for a specific platform, but a complete enterprise solution - a single sign-on product (the Holy Graal of Security). Many single sign-on products support RACF PassTickets.

13. What should be done on RACF to implement PassTickets ?
    1. activate the passticket class :

                  SETROPTS CLASSACT(PTKTDATA)  
                  SETROPTS RACLIST(PTKTDATA)
       

    2. define a profile for the userid + application :

                  RDEFINE PTKTDATA appl.group.userid -
                   SSIGNON(KEYMASKED(0123456789abcdef))
       

       where appl is to be replaced by the application name (CICS, TSO+SMFID, etc.) group and userid are the RACF group and userid, and 0123456789abcdef (the Secured Signon application key) should be replaced by a valid 16-digit secret key. Note that appl.group.userid can also be replaced by appl.userid if the connection group does not matter.

    3. refresh the class :

                  SETR REFRESH RACLIST(PTKTDATA)
       

    Now, the PassTicket generator must know the userid, the application name and the Secured Signon application key (which is the "secret factor" that must be kept in security).

    IBM has also offered the possibility to replay the same Passticket. Although it defeats part of the security brought by the Passticket facility, it may help some sites faced to its limitations (a generator can generate only one Passticket per user per second, so if you try to logon twice within a second interval, you are forced to use the same Passticket). RACF requires then the PTKTDATA profile to specify APPLDATA('NO REPLAY PROTECTION.').

14. What are "qualified" and "unqualified" PassTicket profiles ?

    PassTicket profile names can be "qualified" with the user's group name and user ID. An application is no longer limited to a single key (as prior to RACF 2.2), but can now have different keys for different groups and users. Use of qualified PassTicket profile names is optional in that unqualified (application name only) PTKTDATA profiles can be used. In fact, it is possible to have both a qualified PTKTDATA profile name appropriate for a given user who is being authenticated and an unqualified profile name for the same application. In this case RACF uses either key in either profile to evaluate the PassTicket.

15. We have been trying to implement PassTickets, but it does not work !

    The passticket may not work because :

    1. it has been generated more than 10 minutes ago ;
    2. The user or application name as seen by the PassTicket generator is wrong ; at V2R10 with PTF for APAR OW44393 installed, if your OS/390 system is configured to use VTAM generic resources for TSO then you need to use the VTAM generic as your application name. Otherwise (earlier releases, V2R10 without that PTF, or not configured for VTAM generics) you need to use an application name of TSO || SMF ID (thanks to Walt Farrell who posted this in IBM-Main on Dec 10th, 2001).
    3. your PC/Unix/etc. is not synchronized with the mainframe (local times / GMT times are too different) ;
    4. the Secured Signon application key as seen by the PassTicket generator is wrong, or has been changed on MVS by the RACF administrator.
    5. there is a bug in the PassTicket generator ! (the least probable)

    The most common cause for problems with PassTicket verification is differences in time settings.

    Since your PassTickets are created on a UNIX or Windows (or etc.) machine and are verified by RACF on an S/390, you must take care that both machines have the same notion of UTC (Universal Coordinated Time, aka. Greenwich Mean Time). On your UNIX server, check the TZ setting and make sure it is set to the right time zone.

    On your OS/390 or MVS system, you have two time sources: the TOD clock and the local time. The TOD clock must be set to UTC, the local time must be set to the correct offset from UTC and the offset needs to be changed in the CLOCKxx member in SYS1.PARMLIB.

    PassTickets are created with a UTC timestamp. If the system that creates the PassTicket has a different notion of UTC than the system that verifies the PassTicket, you'll never get a match.

16. My offering

    My offering is a RACF Passticket generator for Windows, a software-only implementation of a RACF Passticket generator : "PTKTGEN".

    Highlights :

    - PTKTGEN is written in REXX ; it invokes a freeware product for encryption functions. I have used Regina Rexx from Beyond.com, but I think other REXXes should also work.

    - For the moment, PTKTGEN runs in a DOS window, but I plan to provide a more "flashy" interface in the weeks/months to come, the main point was first to efficiently generate the passticket...

    - It is delivered in a PTKT.ZIP file (210 Kb). Instructions are provided in the README.TXT file.

    The 09/09/2001 bug has striken ! You will get an error in PTKTGEN.REX because more than 1 billion seconds have elapsed since 1/1/1970 (1 billion = 1000000000 represents 10 digits, and REXX by default handles only 9 digits : "numeric digits 9" is the default value).

    The fix consists simply in adding in PTKTGEN.REX a statement : "numeric digits 20" before the "datesec" variable is used.

    Conditions :

    - I grant you the right to use PTKTGEN provided that only ONE copy of PTKTGEN is used in your company. For multiple copies, contact me.

    Warning : on the PC, Secured Signon application keys are stored in a "userid.INI" file (where userid is the RACF userid). This is sensitive information that you should protect. This is why I call PTKTGEN an "unsecure Passticket generator".

    It is assumed that the secret Secured Signon application keys (stored in userid.INI) can not easily be compromised. These keys, once compromised, would allow ANYBODY to generate passtickets and to use your userid.

    A possible solution is to store the userid.INI file on a disquette that you keep in security. Copy the userid.INI file on the disquette, scratch the hard disk version, and update PTKTGEN.REX suppressing the line : " path_for_keys = '.\' " to force it to read the version on disquette.