In general, DCAS provides a service for returning a PassTicket. A PassTicket is like a password and can be used to log on to z/OS® applications. RACF® provides PassTicket support using the PTKTDATA class. To understand PassTickets and using the secured signon function, see z/OS Security Server RACF Security Administrator's Guide. The type of information DCAS returns depends upon the type of information requested by the client. Also, DCAS configuration controls what type of information is allowed to be provided.
DCAS provides two types of information:
Given an x.509 certificate and an application ID, DCAS returns the user ID that has been mapped to the certificate in RACF and a PassTicket. This can be used by logon services that want to provide certificate-based logons. In this case, the certificate provided must be associated with a valid user ID in RACF. For information on using RACDCERT to administer certificates, see z/OS Security Server RACF Security Administrator's Guide. This support is used by IBM's Express® Logon Feature (ELF) for the 3-tier solution.
Given a user ID and an application ID, DCAS returns a PassTicket. In this case, the end-user should already have been authenticated using a method such as Web-based sign on, and the logon solution provider must ensure this authentication prior to requesting the PassTicket. This support is used by IBM®'s Web Express Logon (WEL).