PassTicket module
The PassTicket token STS module validates and issues Resource Access Control Facility (RACF ) PassTicket tokens.
The PassTicket module is called PassTicketSTSModule. PassTicket tokens extend the structure of Username tokens by adding a generated PassTicket.
- Scenario
- Custom trust chains
- Supported modes
- Validate
- Issue
- Exchange
- Configuration properties for Validate mode
- Amount of time the token remains valid (seconds)
- An integer value that indicates the amount of time, in seconds, the token remains valid.
Default value is 300.
The special value -1 means the token does not expire.
- Hexadecimal key used to validate a PassTicket token
A key value that consists of exactly 16 hexadecimal digits, which are used to validate a valid PassTicket. Leave as ******** if editing the property, and the key does not need to be changed.
- The name of the application used to generate the unique PassTicket
The name of the application that was used to generate the unique PassTicket. This property must be an eight character user ID. The characters must be alphanumeric. For example, GS1SGRAM.
Dynamic application names are supported. We can override the configured application name by supplying an application name in the SOAP request. When the module is in Validate mode, the application name to be used is determined as follows:
- If an application name is supplied in wst:Claims, use it.
- If an application name is not supplied in wst:Claims, use the name that is configured in the module.
- Enable signature validation
- Whether to enable validation of signatures in the token module. Default is false.
- Certificate database
- Keystore containing the key or certificate for validating the signatures in the PassTicket token. Required only when Enable signature validation is selected.
- Certificate label
- Specifies the certificate in the specified keystore for validating the signatures in the PassTicket token. Required only when Enable signature validation is selected.
- Configuration properties for Issue mode and Exchange mode
- Include a nonce in the PassTicket token
- Whether to include a nonce (random bits used for obfuscating the element) in the PassTicket token.
- Add creation timestamp in the PassTicket token
- Whether to add a time stamp to the PassTicket token, indicating the creation time of the token.
- Hexadecimal key used to generate a PassTicket token
A key value that consists of exactly 16 hexadecimal digits, which are used to generate a valid PassTicket. Leave as ******** if editing the property, and the key does not need to be changed.
- The name of the application used to generate the unique PassTicket
The name of the application that was used to generate the unique PassTicket. Must be an eight character user ID. The characters must be alphanumeric. For example, GS1SGRAM.
Dynamic application names are supported. We can override the application name by supplying an application name in the SOAP request. When the module is in Issue mode, the application name to use is determined in the following order:
- If an application name is supplied in ContextAttributes, use it.
- If an application name is not supplied in ContextAttributes, but an application name is supplied in wst:Claims, use the wst:Claims name.
- If an application name is not supplied in either ContextAttributes or wst:Claims, use the name configured in the module.
- Enable signing of the PassTicket token
- Whether to enable the signing of the PassTicket token module.
Default is false.
- Certificate database
- Keystore containing the key or certificate for signing the PassTicket token. Required only when Enable signing of the PassTicket token is selected.
- Certificate label
- Specifies the certificate in the specified keystore for signing the PassTicket token. Required only when Enable signing of the PassTicket token is selected.
Parent topic: Supported module types