Authenticate the DCAS and the DCAS client

The type of security and authentication required will determine the way certificates are created and managed. The DCAS, in conjunction with RACF, supports several levels of authentication.

Authenticating the DCAS: DCAS authentication is always performed by the DCAS client. Authentication requires that the DCAS receive the user's z/OS application ID and user ID.

Authenticating the DCAS client: The DCAS client interacts with the DCAS. Authenticating the DCAS client involves additional levels of control in which the client must have a key database (or Keyring) with a certificate. Depending on the control level, the certificate is authenticated by SSL and the DCAS using RACF services. You will create this SSL key database file in the next step.

There are three levels of client authentication from which to choose:

  • Level 1
    With Level 1 authentication, the DCAS uses the client authentication provided by SSL key database file. This file must contain the following certificates:
    • The DCAS certificate
    • The DCAS client certificate

    To configure DCAS for this level of authentication, specify the CLIENTAUTH LOCAL1 keyword and value in the DCAS configuration file. Use the KEYRING or the SAFKEYRING keywords in the DCAS configuration file to specify the key ring used by the DCAS.

  • Level 2
    Level 2 includes Level 1 authentication plus additional verification that the DCAS client certificate has been associated in RACF with a valid user ID. (This user ID must be the user ID that DCAS is running under.) To configure DCAS for this level of authentication, specify the CLIENTAUTH LOCAL2 keyword and value in the DCAS configuration file. Use FTP (with the BINARY send option) to send the DCAS client's DER certificate to an MVS dataset. Use the RACDCERT ADD command to add the certificate to RACF and associate it with a user ID, as shown in the following example:
    RACDCERT ID(dcasid) ADD('CERT-DATASET') TRUST
    where dcasid is the name of the user ID and CERT-DATASET is the FTP'd dataset containing the certificate.
  • Level 3
    Level 3 includes level 2 authentication plus it verifies that the DCAS client has access to the DCAS. The user ID derived from the certificate using the RACF checks from Level 2 is defined as having access to the SERVAUTH RACF class and the EZA.DCAS.cvtsysname resource in the SERVAUTH class, where cvtsysname is the name of the MVS system image. The following two conditions apply:
    • If the SERVAUTH class is not active or the EZA.DCAS.cvtsysname profile is not defined, or both, it is assumed this enhanced level is not requested.
    • If the SERVAUTH class is active and the EZA.DCAS.cvtsysname profile is defined (but not for the user associated with the certificate) the requester’s connection is terminated:
    RDEFINE SERVAUTH EZA.DCAS.cvtsysname UACC(NONE)
PERMIT EZA.DCAS.cvtsysname CLASS(SERVAUTH) ACCESS(CONTROL) ID(dcasid)
    where dcasid is the name of the user ID and cvtsysname is the name of the MVS system image.

To configure DCAS for Level 3 authentication, follow these steps:

  1. Specify the CLIENTAUTH LOCAL2 keyword and value in the DCAS configuration file.
  2. Activate the SERVAUTH RACF class.
  3. Define a profile for the EZA.DCAS.cvtsysname resource and associate the profile with the user ID associated with the certificate.
Note:
The ID associated with the certificate and the EZA.DCAS.cvtsysname can be any valid user ID.