Optional: Enable PassTicket processing

You only need to enable PassTicket processing if you want the supplied CICS® Configuration Manager ISPF or batch client to connect to the CICS Configuration Manager server via an authenticated Internet Protocol (IP) port (with or without SSL encryption).

Connecting via an authenticated port is strongly recommended. Without authentication, the CICS Configuration Manager server transactions run under the authority of the CICS default user. In these cases, CICS Configuration Manager server security controls (by API command or resource definition key) become meaningless, and any changes (and resultant histories) cannot be tracked to the originating user. To ensure that only authenticated ports are used for CICS Configuration Manager server functions, deny the CICS default user access to the CICS Configuration Manager transaction CCVA.

If you are evaluating CICS Configuration Manager in an isolated test environment, or you are installing CICS Configuration Manager in a secure, firewalled network, then you may choose to use an unauthenticated IP port. In that case, skip to Start the ISPF dialog interface.

Each time the supplied CICS Configuration Manager ISPF or batch client sends a command request to the server via an authenticated port, they include a PassTicket to authenticate the user making the request. CICS uses the external security manager (ESM) at your installation to validate the PassTicket. If the PassTicket is valid, then CICS performs a sign-on and passes the command request through the CICS Configuration Manager server. (For general information on PassTickets, see CICS Transaction Server for z/OS®: CICS RACF® Security Guide.)

To allow this authentication to occur, you need to enable CICS to validate incoming PassTickets, and you need to APF-authorize the libraries containing the client programs that create PassTickets.