Configure Automated Sign-On for Mainframe - IBM DCAS

Use the MSS Administrative Console to configure an IBM DCAS Server, which is required for automated sign-on. The DCAS (Digital Certificate Access Server) configuration is used to obtain a PassTicket from the mainframe.

The configured IBM DCAS servers are listed. From here you can add, edit, or delete an IBM DCAS server, test the connection, and set a preferred IBM DCAS server.

Add an IBM DCAS server

Click +ADD and enter the details for the IBM DCAS Server Configuration.

Note

Check with your mainframe host administrator regarding the required IBM DCAS settings.

Each IBM DCAS server must be configured to accept client connections from the MSS Server,
Several keystores must be correctly configured for client authentication. For details, see Configuring DCAS and RACF on z/OS in the Automated Sign-On for Mainframe - Administrator Guide.

To configure MSS for automated sign-on, you need the IBM DCAS server name, port, and the source where the mainframe user names are stored.

Server name

Enter the name of the IBM DCAS server.

Server port

The default port is 8990; however, the IBM DCAS server can be configured to use any port.

Client certificate used to authenticate to IBM DCAS server

Choose a certificate to use for client authentication of the MSS Server to the IBM DCAS server.

Use Cluster DNS certificate

This option uses the cluster DNS certificate, which is set in the MSS Cluster Management console. For details, see Configure Your Cluster in the MSS Deployment Guide.
Use custom keystore

Use this option to import a separate keystore that contains a certificate and private key.
1. Click Import, browse to and open the keystore file to be imported to the MSS Server. The keystore can be one of these formats:
  - Java keystore: .jks
  - PKCS#12 keystore: .p12 or .pfx
  - Bouncy Castle BCFKS keystore: .bcfks
2. Enter and confirm the (case-sensitive) Keystore password used to read the keystore.
  
  The password for the keystore and the private key must be the same.

Verify host identity

Check this box to verify the hostname entered in the Server name field against the certificate received from the IBM DCAS server when a secure connection is made from the MSS Server to DCAS.

Test Connection

Click this button to test the connection between the MSS Server and the IBM DCAS server.

Using multiple IBM DCAS Servers

You can configure more than one IBM DCAS server for automated sign-on. Repeat the steps to Add an IBM DCAS server. Then, you can Set a Preferred IBM DCAS server.

Set a Preferred IBM DCAS server

When multiple IBM DCAS servers are configured, you can select a preferred one to use when assigning sessions. Select the IBM DCAS server, and click Prefer. A star appears next to the preferred server name.

When you assign access to an automated sign-on session, the preferred server will be highlighted; however, you can choose any of your configured IBM DCAS servers.

Edit an existing IBM DCAS server

Select a server, click EDIT. Adjust the settings as needed and click OK.

Delete an IBM DCAS server

Select the IBM DCAS server, and click DELETE. When sessions are assigned to use this IBM DCAS server, a dialog lists the assigned sessions.

Note

If only one IBM DCAS server is configured, all of the session assignments will be removed. You can cancel this action in the confirmation message.
If multiple IBM DCAS servers are configured, you have the option to either remove or re-assign the sessions. To change the session assignments, select a different IBM DCAS server from the drop-down list.

Next steps

Configure the Common Settings for a secondary LDAP server, if required.
To configure the client and the z/OS host, refer to the Automated Sign-on for Mainframe - Administrator Guide.