Overview of DCAS Configuration and the z/OS Security Server
Automated Sign-on for Mainframe works with DCAS, a component of the z/OS Communications Server. Automated Sign-on requires that DCAS and the z/OS security server be configured to support PassTickets.
Security servers, such as RACF (Resource Access Control Facility), Top Secret, and ACF2, support PassTickets for use with z/OS. For simplicity, procedures are presented for configuring RACF; however, with minor modifications, the concepts and procedures also apply to Top Secret and ACF2.
To enable DCAS and RACF to support PassTicket services, the following conditions must be met:
-
RACF must be configured so that DCAS can run as a system daemon.
-
TLS must be configured for use with DCAS, including these items:
-
RACF key ring support must be enabled.
-
A TLS client authentication level must be configured.
-
A TLS server certificate for DCAS must be created or obtained.
-
A TLS client certificate must be created or obtained for use by the Automated Sign-On for Mainframe system to authenticate to DCAS.
-
-
A PassTicket profile must be defined for each host application that will support automated sign-on.
-
The DCAS server configuration must be updated with values that match those used with your deployment.
-
The DCAS server must be started.
Detailed steps are provided in the sections that follow.
For more information, see these References: IBM Redbooks and Examples of Using CA ACF2 , CA Top Secret, or IBM RACF to Configure Passtickets.
Information Exchange between Automated Sign-on, DCAS, and RACF
In the Introduction of this Administrator Guide, an overview diagram depicts how the terminal client emulator, Administrative Server, and Automated Sign-On for Mainframe use PassTickets to provide automated log-on for the end user.
The following diagram shows further detail about how DCAS and the z/OS security server provide PassTicket services for use by Automated Sign-On for Mainframe. This diagram refers to the sections in Appendix A for configuring each item.