Multi-Factor Authentication

Multi-factor authentication allows users to sign on to Enterprise Server CICS without entering a username and password. A secure user identifier, such as a certificate, is mapped to a username and is used to generate a passtoken. Users may use smartcards, biometrics, or other authentication systems to identify themselves to the system. The username and passtoken can then be used to log on to CICS in an automated way.

There are two main solutions for multi-factor authentication:

The Express Logon Feature is supported by most TN3270 emulators. It uses an SSL/TLS connection from the client to the TN3270 server which provides a user's certificate for identification. Placeholder username and password tokens are used on the CICS logon screen. The server reads the client certificate used in the SSL connection, then examines its certificate store to determine if there is a username mapped to that certificate. If there is it can generate a passtoken and replace the username and password tokens with the actual username and passtoken, allowing the client to log on.

Automated Sign-On for Mainframe is an alternative logon mechanism, where the server assumes that the user's credentials have already been authenticated, for example, by software such as Micro Focus Host Access Management and Security Server. This verification can take several forms, the details of which are product-specific. Products that can be used for Automated Sign-On for Mainframe map a user's certificate, or other identifying credentials, to a CICS username and then generate a passtoken. The ID and passtoken can then be used to log on. Enterprise Server processes the username and passtoken as it would a username and password entered by a user.

Both of these logon solutions rely on the Digital Certificate Access Server (DCAS). The DCAS service performs the certificate mapping lookup required by ELF and the passtoken generation used for both ELF and Automated Sign-On for Mainframe. The certificate mapping can be administered with the command-line utility cascertreg.