Configure DCAS for Web Express Logon

The Digital Certificate Access Server (DCAS) is a TCP/IP server application that runs on z/OS servers. It interfaces with a Security Access Facility (SAF)-compliant server product to assist with express logon services such as Web Express Logon. In this scenario, this SAF-compliant server product is IBM Resource Access Control Facility (RACF).

The administrator must configure the DCAS and RACF to work with Web Express Logon. Admin must also create an SSL key database file that contains both the DCAS client certificate information and the DCAS server's certificate (public key) information. Admin will create this file in the next step.

During the logon automation process, the Credential Mapper Servlet (CMS) sends the DCAS the user's application ID and other client information and requests a host ID and a passticket, which is similar to a password. DCAS receives this information and passes it to RACF. In turn, RACF generates the passticket and sends it to the DCAS along with the user's host ID. DCAS passes the host ID and passticket on to Host Credential Mapper (HCM) to authenticate the user.

For more information, refer to the z/OS RACF Server Security Administrator Guide at reference: https://www.ibm.com/docs/en/zos/3.1.0?topic=racf-zos-security-server-security-administrators-guide.

To configure DCAS and RACF, the administrator takes the following steps.
Note:
Consult with your administrator to validate these steps within your specific environment.
  1. Configure RACF services for the DCAS
  2. DCAS and system SSL
  3. Authenticate the DCAS and the DCAS client
  4. Manage keys and certificates using RACF's Common key ring support
  5. Define a passticket profile for each application
  6. Configure the DCAS
  7. Start the DCAS
  8. Grant user to access a profile in the RDATALIB class