CA 7 Workload Automation

 View Only
  • 1.  CA7 PassTickets

    Posted Oct 13, 2020 05:09 PM

    CA 7 PassTickets


    CA Workload Automation CA 7® is a mainframe product from Broadcom Mainframe Software Division that runs on z/OS. Top financial institutions, telecoms and retail industry leaders use CA 7 to manage millions of workload transactions per day. As a part of onboarding the Open Mainframe Project, CA 7 REST API services now conform to Zowe standards supporting PassTickets, a highly secured way of managing your network transactions.  


    What is a PassTicket? 


    The simplest definition is that it's usually a one-time only password substitute. Instead of  exchanging user credentials on the network multiple times, now CA 7 can authenticate with a PassTicket (per session) which is encrypted and replaces the need to send user credentials on the network. This is how Zowe invokes the CA 7 REST API, making the transaction more secure.


    How to use a PassTicket with CA 7 ?


    PassTicket usage typically requires you to have a single sign-on software product such as CA Single Sign On or IBM's Network Security Program that generates the PassTicket. CA 7 itself does not generate a PassTicket; it has been enhanced to allow you to use them now. 


     What are the Do's and Don'ts of PassTickets?


    • PassTickets can be used to log in to the CA 7 VTAM APPLID session and log in to TSO (TSO APPLID). In the case of VTAM, you can use a dummy APPLID, and the same APPLID can be used by multiple instances of CA 7.
    • PassTickets can be useful in batch (e.g. BTI job, TCP/IP Batch Terminal Job). The CA 7 REST API uses the TCP/IP Batch terminal interface to send requests and receive responses. Zowe automatically generates PassTickets and plugs them into CA 7 instances. 
    • PassTickets are not valid to invoke CA 7 under ISPF, as by default a secured sign-on is used and no password is entered today.  
    • PassTickets are not valid to log in to your Web Client, as the application needs to generate this in real time to sign-on to CA7SRVR. It would also require the CA7SRVR to have updated APPLID and RACROUTE requests.


    Can I still use Passwords?

    Yes, with this enhancement users can sign on using a PassTicket or their password.  Be advised if they are signing on using a session manager or other product that is automatically generating a pass ticket for sign-on, then CA 7 must be set up to accept that pass ticket.


    Are additional external security product rules (Top Secret, ACF2 or RACF) needed?

    CA 7 does not generate Pass Tickets. It accepts based on security rules being enabled for PassTicket usage. However, the product you are using will need an additional rule to generate the pass ticket for the APPLID you are using for CA 7. 


    For more information about installing PassTicket go to www.techdocs.broadcom.com/ Enter CA 7 in the search criteria and select the CA Workload Automation CA 7®  Edition documentation under Securing, select Security Best Practices on the left side panel  and you will see Use Pass Tickets section on the page. 




    ------------------------------
    Product Owner for CA7 & iDash
    Broadcom Inc.
    TX, USA
    ------------------------------