Using a Kerberos security token in a 3270 emulator sign-on

The use of Kerberos provides stronger security because passwords are not required to flow over the network.

The process is described as follows:

  1. The Client terminal emulator applies to a Kerberos authentication server to obtain a Kerberos token.
  2. The Kerberos token is returned to the Client terminal emulator, and the content is encoded in Base64 format.
  3. The token is then forwarded in a message to the CICS® server, where a sign-on transaction receives the Base64 encoded Kerberos token and issues the SIGNON TOKEN command.
  4. The RACF® Kerberos registry validates the Kerberos token and returns the associated RACF USERID to CICS. This USERID is associated with the terminal session for subsequent tasks.
Figure 1. Flow of requests between the Client terminal emulator, the authentication server, and CICS TS
Diagram showing flow of requests between the Client terminal emulator, the authentication server, and CICS TS.
Note: Logon data cannot be used to send the Kerberos token since it is limited to 255 characters.