3. Configure DCAS and RACF on z/OS

This configuration is required before trust can be established between MSS and the DCAS server.

To enable Automated Sign-on for Mainframe to connect to IBM host applications, the MSS Administrative Server must exchange information with the Digital Certificate Access Server (DCAS) on z/OS (OS/390 V2R10 and later). DCAS works with RACF to obtain PassTickets, which act as time-limited single-use passwords in the automated sign-on process.

DCAS is included with the z/OS Communications Server, but is not installed by default. You may wish to verify whether DCAS has already been enabled on the mainframe.

For example, if you used the Express Logon Facility (ELF) feature of z/OS, then DCAS may already be enabled; however, other z/OS components (such as the Telnet server or RACF) may need additional configuration.

Configure DCAS to communicate with MSS

The z/OS administrator must configure DCAS (and RACF) to communicate with the MSS Administrative Server.

The administrator must also create a TLS key database file that contains both the DCAS client’s certificate information and the DCAS server's certificate (public key) information. The MSS Administrative Server and DCAS must exchange public keys and place them in the other's trusted store.

Detailed steps are presented in Appendix A. Configuring DCAS and RACF on z/OS.

In brief, the z/OS administrator will:

  • Configure RACF services for DCAS.

  • Configure DCAS and TLS on the z/OS mainframe.

  • Set up key exchange between the DCAS server and TLS.

  • Manage keys and certificates using RACF's Common key ring support.

  • Define a PassTicket profile for each application.

  • Configure the DCAS server.

  • Start the DCAS server.


If you use more than one DCAS server, you can configure each of them for Automated Sign-on. When you assign access to an automated sign-on session, you can choose which DCAS server to use.

When the z/OS setup is complete, return to the MSS Administrative Console to continue configuration.