I am not familiar with IKE or NSS but I am something of a PassTicket expert IMHO.
PassTickets are essentially an alternative to passwords. They are password-like; they do not depend on passwords. No password is input to the algorithm. The closest thing is the "stored secure application key" (name from memory) which is 16 hex digits. There are three inputs: - stored secure application key - current time of day - application name In my experience the second is a small gotcha and the third is a big gotcha. Are there two systems in your picture? Are both of their clocks set to Zulu time, and fairly accurately? Are you *sure* you have the application name correct. It is a HUGE gotcha. A wild guess is the reason it works with a password is because the password itself is being used for successful authentication, not the PassTicket. Well, you say that's not so. I don't know. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Tom Ambros Sent: Tuesday, February 07, 2012 1:50 PM To: IBM-MAIN@bama.ua.edu Subject: RACF Passticket: password required on userid? Forgive me for posting this here, it belongs on the RACF list I am sure but I do not have that address handy to register. It may be a simple enough question that it can be answered here. I am attempting to use the passticket authentication method for the IKE client to NSS. If I define a password on the client, no problem. IKE establishes a connection to the NSS task, I verify I use the Passticket: RACFQUAL 132:SUCC INIT USING PASSTICKET from an MXG SAS interpretation of SMF 80. If I remove the password from the client, ICH408I Invalid Password. I find no documentation that indicates it is input to the algorithm nor any documentation that a user employing passtickets requires a password. Why is a password necessary? with 'No Promotional E-mails' in the SUBJECT line. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
