Using RACF passtickets in the IMS header

If you want to use a passticket instead of a password in the IMS header (MQIIH), specify the application name against which the passticket will be validated in the PASSTKTA attribute of the STGCLASS definition of the IMS Bridge queue to which the message will be routed.

If the PASSTKTA value is left blank, arrange to have a passticket generated. The application name in this case must be of the form MVSxxxx, where xxxx is the SMFID of the z/OS system on which the target queue manager runs.

A passticket is built from a user ID, the target application name, and a secret key. It is an 8-byte value containing uppercase alphabetic and numeric characters. It can be used only once, and is valid for a 20 minute period. If a passticket is generated by a local RACF system, RACF only checks that the profile exists and not that the user has authority against the profile. If the passticket was generated on a remote system, RACF will validate the access of the userid to the profile. For full information about passtickets, see the z/OS SecureWay Security Server RACF Security Administrator's Guide.

Passtickets in IMS headers are given to RACF by WebSphere MQ, not IMS.