Automated Sign-on for Mainframe works with DCAS, a component of the z/OS Communications Server. Automated Sign-on requires that DCAS and the z/OS security server be configured to support PassTickets.
Security servers, such as RACF (Resource Access Control Facility), Top Secret, and ACF2, support PassTickets for use with z/OS. For simplicity, procedures are presented for configuring RACF; however, with minor modifications, the concepts and procedures also apply to Top Secret and ACF2.
To enable DCAS and RACF to support PassTicket services, the following conditions must be met.
RACF must be configured so that DCAS can run as a system daemon.
TLS must be configured for use with DCAS, including these items:
RACF key ring support must be enabled.
A TLS client authentication level must be configured.
A TLS server certificate for DCAS must be created or obtained.
A TLS client certificate must be created or obtained for use by the Automated Sign-On for Mainframe system to authenticate to DCAS.
A PassTicket profile must be defined for each host application that will support automated sign-on.
The DCAS server configuration must be updated with values that match those used with your deployment.
The DCAS server must be started.
Detailed steps are provided in the sections that follow.
For more information, see these References: IBM Redbooks and Examples of Using CA ACF2 , CA Top Secret, or IBM RACF to Configure Passtickets.
In the Introduction of this Administrator Guide, an overview diagram depicts how the terminal client emulator, Administrative Server, and Automated Sign-On for Mainframe use PassTickets to provide automated log-on for the end user.
The following diagram shows further detail about how DCAS and the z/OS security server provide PassTicket services for use by Automated Sign-On for Mainframe. This diagram refers to the sections in Appendix A for configuring each item.