Describes the Digital Certificate Authentication Service (DCAS) feature, which generates temporary user credentials from X.509
certificates.
Note: This is a technology preview feature only. It is being made available to allow you to test and provide feedback on this new
capability; however, this feature is not intended for production use and it is not supported as such.
The Digital Certificate Authentication Service is an Enterprise Server for .NET feature that generates temporary user credentials
from X.509 certificates.
Typically, DCAS is used to implement single- or automatic-sign-on workflows that enable users to sign on to Enterprise Server
for .NET without manually entering a user ID and password.
Because DCAS is an authentication mechanism that provides access to Enterprise Server for .NET functionality, it is supplied
in a secure-by-default configuration, and is not enabled by default.
You can implement DCAS to work either internally with the Express Logon Facility, or externally to support advanced authentication
systems such as Automated Sign-On for Mainframe.
Internal implementation for ELF
An internal DCAS implementation for use with the Express Logon Facility (ELF) is configured to use the following:
- Certificate function
- Given a certificate, DCAS returns an associated user ID and a
passticket, which is a short-lived single-use password for that user. These are used by the Express Logon Facility to log a user onto
Enterprise Server .NET. See
Certificate Mapping in DCAS and
CICS Region Security for DCAS for details.
Note: The certificate function is also supported by other interfaces that identify users by certificate, such as Web interfaces.
- TN3270 listener channel
- To enable DCAS internally, configure a TN3270 listener channel to support the Express Logon Facility, which then invokes
DCAS. Using DCAS internally this way prevents DCAS from being exposed to other callers. The channel must permit or require
client certificates. See
TN3270 Client and Listener Channel
and
Certificate Mapping in DCAS for details.
Note: ELF invokes the DCAS service using an internal mechanism. It is not necessary to create a DCAS listener channel for this purpose.
- Security
- DCAS requires an External Security Facility (ESF) Security Configuration defined to include at least one Security Manager
that uses the
LdapEsm module, and has passtokens enabled.
When a sign-on attempt is made via ELF, it invokes DCAS to perform certain security checks using the External Security Facility.
Credentials are returned only for users who:
- Have sign-on privileges
- Are permitted to generate passtokens
- Have the appropriate access level granted by the PTKTDATA resource class
See
CICS Region Security for DCAS for details.
- DCAS transaction
- To use DCAS with the Express Logon Facility, the DCAS transaction must be defined in the Enterprise Server for .NET CICS
region. See
DCAS Transaction Configuration for details.
External implementation
An external DCAS implementation is configured to use the following:
- User ID function
- Given a user ID, DCAS returns a passticket for that user only. This function is used by some advanced authentication systems
such as the Automated Sign-on for the Mainframe facility implemented in the Micro Focus Host Access Management and Security
Service.
- Certificate function
- The certificate function is also available in the external implementation, just as it is in the internal implementation.
- DCAS listener channel
- To enable DCAS externally, configure a TLS-secured DCAS listener channel that permits or requires client certificates. This
invokes DCAS directly in the CICS region associated with the channel, which is required when using an advanced authentication
system such as Automated Sign-On for Mainframe. See
Defining a DCAS listener channel for details.
- Security
- As with an internal implementation, define an ESF Security Configuration to include at least one Security Manager that uses
the
LdapEsm module.