The appropriate passtoken configuration depends on the needs of your installation, its security requirements, and administrator convenience. Here are some example passtoken configurations for typical installations:
The most secure option is to disable passtokens entirely. That means users always have to sign on explicitly when entering security domains. Administrators have to log on to MFDS and ESMAC separately, and user identity is not automatically transferred over Inter-System Communication (ISC) links between enterprise server regions, for purposes such as CICS Transaction Routing.
There is no danger of passtokens being abused in this configuration.
Disable passtokens in the ESF Manager configuration in each Security Manager object in the MFDS repository, using the MFDS administration Web interface. See Passtoken Options for ESF Manager for more information.
Administrators might find it convenient to enable passtokens for the MFDS and ESMAC administrative interfaces, especially since these two facilities provide links to each other, which makes it easy to switch between them. Because ESMAC runs as part of CAS within an enterprise server region, but MFDS is separate from any enterprise server region, they are in different security domains, despite those links; so without passtokens, the administrator has to log into each separately. With passtokens, an administrator can connect to MFDS or ESMAC, log in once, and then go between the two without losing access or having to log in again.
To use passtokens with MFDS and ESMAC, MFDS and the ES region you are administering must use the same security configuration. For example, you can set them both to use the Default ES Security configuration.
You might have to perform ESM-specific actions to enable normal passtoken generation and signon for your administrative users. With the MLDAP ESM Module, for each administrative user who should be able to switch between ESMAC and MFDS transparently, set the following attributes in the LDAP repository:
In its default configuration, MFDS does not require you to sign in. If you are not signed in, a passtoken is not generated when you switch to ESMAC. To use passtokens between MFDS and ESMAC, make sure you configure MFDS to require an administrative signon.
Customers who use the MTO Inter-System Communication (ISC) facility for CICS features such as Transaction Routing and Function Shipping between two enterprise server region may want to enable passtokens for that purpose. That lets the two CICS regions apply the same security context to all the operations performed by an application, even when they cross security domains.
Note that passtokens are not supported for ISC conversations with non-enterprise server regions, such as MFE or mainframe CICS.
ISC passtokens are surrogate passtokens generated automatically by the system as necessary. They are always generated by the region's system user, which is the user account used to start the region.
Also, you may have to perform ESM-specific actions to enable:
For the MLDAP ESM Module, that entails:
If the regions use different LDAP repositories, note that the system user account (the one generating the token) belongs to the region that initiates the request, and the regular user account (which is signed on using the token) belongs to the region that processes the request.
Customers who want to make use of the multi-factor authentication for logging on to the mainframe without providing a username and password need to enable passtokens.
Multi-factor authentication makes use of RACF-style passtokens for logins, also referred to here as short passtokens. These short passtokens are generated by the Digital Certificate Access Server (DCAS). They enable the user log on to CICS in the enterprise server region where the passtoken was generated.
You might have to perform ESM-specific configuration to enable passtoken generation and sign-on for your users. With the MLDAP ESM Module, For each user who wants to use multi-factor Authentication, set the following attributes in the LDAP repository to: