3.5.1 Configure Settings - Automated Sign-on

Before you begin, obtain this information for each DCAS server (from your z/OS host administrator):

  • DCAS server name

  • DCAS server port

NOTE:When smart cards are used for authentication, configure those settings first, and then continue with these steps to configure Automated Sign-on.

See the MSS Help for more information about each setting.

  1. In the Administrative Console, click Configure Settings - Automated Sign-on.

  2. Check Enable automated sign-on to mainframe sessions.

  3. Click +ADD and enter the details for the DCAS Server Configuration.

    NOTE:To configure MSS for automated sign-on, you need the DCAS server name, port, and the source where the mainframe user names are stored.

    • Each DCAS server must be configured to accept client connections from the Administrative Server,

    • Several keystores must be correctly configured for client authentication. (For details, see Configuring DCAS and RACF.)

  4. Enter the name of the DCAS Server name and the Server port.

    The default port is 8990; however, the DCAS server can be configured to use any port.

  5. Choose which certificate to use for client authentication of the MSS Administrative Server to the DCAS server.

    • Use Management and Security Server certificate. This option uses the Administrative Server’s certificate and private key (configured on the Configure Settings - Certificates panel).

    • Use custom keystore. This option uses a separate keystore that contains a certificate and private key. Follow these steps:

    1. Enter the Keystore filename with the correct extension. The keystore can be one of these formats:

      • Java keystore: .jks

      • PKCS#12 keystore: .p12 or .pfx

      • Bouncy Castle BCFKS keystore: .bcfks

    2. Enter the (case-sensitive) Keystore password used to read the keystore.

      The password for the keystore and the private key must be the same.

    3. The keystore must be placed in the MSSData\trustedcerts folder. The default Windows location is

      C:\ProgramData\Micro Focus\MSS\MSSData\trustedcerts

  6. Check Verify server identity to verify the hostname entered in the Server name field against the certificate received from the DCAS server when a secure connection is made from the Administrative Server to DCAS.

  7. Click TEST CONNECTION to test the connection between the MSS Administrative Server and the DCAS server. Then click OK to return to Configure Settings - Automated Sign-on.

    Using a secondary LDAP directory to store mainframe user names

  8. If you are using a secondary LDAP directory to use in the Automated Sign-on workflow (Option B in Choose a data store option), check Enable secondary LDAP server.

    1. Enter the server-specific information for this LDAP server: Server type, Security options, Server name, Server port, User name, and Password.

    2. Enter details for the Directory search base. See Help for more information.

    3. When TLS/SSL is selected, you need to import the LDAP server's trusted certificate into the default trusted keystore. Click IMPORT CERTIFICATE.

    4. TEST CONNECTION verifies the connection between the secondary LDAP server and the MSS Administrative Server. If the connection fails, consult the logs to resolve the issue.

  9. Under User Principal Name (UPN), enter the name of the LDAP attribute in the authenticating directory that contains the UPN value.

    This value is needed when assigning automated sign-on sessions that derive the mainframe user names from the UPN.

  10. If using a secondary LDAP server, enter information for the Search filter. See Help for more information.

    NOTE:Remember this selection. When you Assign Access, you are prompted to select the Method to obtain mainframe user name. Choose from these options:

    • Not set. This default is not a viable option for automated sign-on. Choose another method.

    • Derive from UPN. Select this option to request a passticket from DCAS by deriving the mainframe username from the User Principal Name (UPN) of the user. The UPN is typically available from a smart card or client certificate, and is a standard attribute in Active Directory servers. A UPN is formatted as an Internet-style email address, such as userid@domain.com, and Management and Security Server derives the mainframe username as the short name preceding the '@' symbol.

    • Get LDAP attribute value from authenticating directory. Select this option to perform a lookup in the LDAP directory (defined in Authentication & Authorization) and return the value of the entered attribute as the mainframe username. All LDAP attributes must meet these criteria:

      • must begin with an alpha character

      • no more than 50 characters

      • any alphanumeric character or a hyphen is permitted

    • Get LDAP attribute value from secondary directory using search filter. Select this option to use the search filter to find the user object in the secondary LDAP directory; then return the value of the entered attribute as the mainframe username.

    • Literal value. This option is available for sessions assigned to users, but not groups. Enter a value that meets these criteria:

      • up to eight alphanumeric characters

      • no spaces

      • no other characters

  11. Click Apply.

    The Initial Setup requirements are met for Management and Security Server.

  12. Next step: 6. Enable your emulator for automated sign-on