action.skip

5. Establish Trust between the MSS Administrative Server and the DCAS Server

This step requires information about the DCAS server and is dependent on configuring DCAS and RACF on z/OS.

  • Each DCAS server must be configured to accept client connections from the MSS Administrative Server.
  • Several keystores must be correctly configured for client authentication. (For details, see Configuring DCAS and RACF.)

These settings in MSS are needed for testing, and can also be used in production.

Configure Settings - Automated Sign-On

Before you begin, obtain this information for each DCAS server (from your z/OS host administrator):

  • DCAS server name
  • DCAS server port

Note

When smart cards are used for authentication, configure those settings first, and then continue with these steps to configure Automated Sign-On.

See the MSS Help for more information about each setting.

  1. In the Administrative Console, click Configure Settings - Automated Sign-on.

  2. Check Enable Automated Sign-On for Mainframe (for z/OS systems).

  3. Click +ADD and enter the the name and port of the DCAS server.

    The default port is 8990; however, the DCAS server can be configured to use any port.

  4. Choose which certificate to use for client authentication of the MSS Administrative Server to the DCAS server.

    • Use Management and Security Server certificate. This option uses the Administrative Server’s certificate and private key (configured on the Configure Settings - Certificates panel).

    • Use custom keystore. This option uses a separate keystore that contains a certificate and private key. Follow these steps:

      a. Enter the Keystore filename with the correct extension. The keystore can be one of these formats:

      • Java keystore: .jks
      • PKCS#12 keystore: .p12 or .pfx
      • Bouncy Castle BCFKS keystore: .bcfks

      b. Enter the (case-sensitive) Keystore password used to read the keystore. The password for the keystore and the private key must be the same.

      c. Click Upload to upload the custom keystore to the Management and Security Server.

  5. Check Verify server identity to verify the hostname entered in the Server name field against the certificate received from the DCAS server when a secure connection is made from the MSS Administrative Server to DCAS.

  6. Click TEST CONNECTION to test the connection between the MSS Administrative Server and the DCAS server. Then click OK to return to Configure Settings - Automated Sign-on.

Using a secondary LDAP directory to store mainframe user names

  1. If you are using a secondary LDAP directory to use in the Automated Sign- On workflow (Option B in Choose a data store option), check Enable secondary LDAP server.

    • Enter the server-specific information for this LDAP server: Server type, Security options, Server name, Server port, User name, and Password.

    • Enter details for the Directory search base. See Help for more information.

    • When TLS/SSL is selected, you need to import the LDAP server's trusted certificate into the default trusted keystore. Click IMPORT CERTIFICATE.

    • TEST CONNECTION verifies the connection between the secondary LDAP server and the MSS Administrative Server. If the connection fails, consult the logs to resolve the issue.

  2. Under User Principal Name (UPN), enter the name of the LDAP attribute in the authenticating directory that contains the UPN value.

    This value is needed when assigning automated sign-on sessions that derive the mainframe user names from the UPN.

  3. If using a secondary LDAP server, enter information for the Search filter. See Help for more information.

    Remember your selection. When you Assign Access, you are prompted to select the Method to obtain mainframe user name. Choose from these options:

    • Not set. This default is not a viable option for automated sign-on. Choose another method.

    • Derive from UPN. Select this option to request a passticket from DCAS by deriving the mainframe username from the User Principal Name (UPN) of the user. The UPN is typically available from a smart card or client certificate, and is a standard attribute in Active Directory servers. A UPN is formatted as an Internet-style email address, such as userid@domain.com, and Management and Security Server derives the mainframe username as the short name preceding the '@' symbol.

    • Get LDAP attribute value from authenticating directory. Select this option to perform a lookup in the LDAP directory (defined in Authentication & Authorization) and return the value of the entered attribute as the mainframe username. All LDAP attributes must meet these criteria:

      • must begin with an alpha character
      • no more than 50 characters
      • any alphanumeric character or a hyphen is permitted
    • Get LDAP attribute value from secondary directory using search filter. Select this option to use the search filter to find the user object in the secondary LDAP directory; then return the value of the entered attribute as the mainframe username.

    • Literal value. This option is available for sessions assigned to users, but not groups. Enter a value that meets these criteria:

      • up to eight alphanumeric characters

      • no spaces

      • no other characters

  4. Click Apply.

    The Initial Setup requirements are met for MSS.

  5. Next step: Enable your emulator for automated sign-on

When smart cards are used for authentication

Configure these settings to manage the MSS Administrative Server certificate, the client certificate, and certificate signing requests.

  1. In Administrative Console, click Configure Settings > General Security.

  2. Scroll to Smart card settings. The default parameters specify the certificate attributes associated with the provider, SunPKCS11.

    • If you use SunPKCS11, you do not need to designate smart card libraries.

    • If you use a different provider, enter the smart card provider with the certificate attributes and designate the smart card libraries. For assistance, open Help and click the link for Smart card settings.

  3. Accept or change the default settings.

  4. Click Apply.

  5. Continue with Configure Settings - Automated Sign-on.