In general, DCAS provides a service for returning a PassTicket. A PassTicket is like a password and can be used to log on to z/OS® applications. RACF® provides PassTicket support using the PTKTDATA class. To understand PassTickets and using the secured signon function, see z/OS Security Server RACF Security Administrator's Guide. The type of information DCAS returns depends upon the type of information requested by the client. Also, DCAS configuration controls what type of information is allowed to be provided.
DCAS provides two types of information:
- Certificate-based
Given an x.509 certificate and an application ID, DCAS returns the user ID that has been mapped to the certificate in RACF and a PassTicket. This can be used by logon services that want to provide certificate-based logons. In this case, the certificate provided must be associated with a valid user ID in RACF. For information on using RACDCERT to administer certificates, see z/OS Security Server RACF Security Administrator's Guide. This support is used by IBM's Express® Logon Feature (ELF) for the 3-tier solution.
- User ID-based
Given a user ID and an application ID, DCAS returns a PassTicket. In this case, the end-user should already have been authenticated using a method such as Web-based sign on, and the logon solution provider must ensure this authentication prior to requesting the PassTicket. This support is used by IBM®'s Web Express Logon (WEL).
- You must configure the DCAS server. For details on configuring DCAS, see z/OS Communications Server: IP Configuration Reference. The DCAS server must be configured to support the IBM logon solution that you want, or when using it for a general or third-party solution, must be configured to return the information that the client requires. This requires that the system administrator that is configuring DCAS and the logon service provider using DCAS work together. The SERVERTYPE configuration statement in the DCAS server profile determines the type of information that DCAS can provide to connecting clients and services (certificate-based, user ID-based, or both).
DCAS requires that all clients must connect by
using TLS/SSL and that the client must be authenticated. DCAS calls
System SSL or uses AT-TLS for TLS/SSL. For more information, see Customizing DCAS for TLS/SSL.
Review the CLIENTAUTH
parameter in the DCAS configuration profile for determining the level
of DCAS client authentication. To understand how to configure SSL
key rings and certificates for DCAS, see TLS/SSL security.- For all supported configurations, DCAS provides a PassTicket for z/OS applications that are targets for express logon. For these applications, a PassTicket data profile must be defined. RACF provides PassTicket support using the PTKTDATA class.