Configuring the Digital Certificate Authentication Service

Describes the Digital Certificate Authentication Service (DCAS) feature, which generates temporary user credentials from X.509 certificates.
Note: This is a technology preview feature only. It is being made available to allow you to test and provide feedback on this new capability; however, this feature is not intended for production use and it is not supported as such.

The Digital Certificate Authentication Service is an Enterprise Server for .NET feature that generates temporary user credentials from X.509 certificates.

Typically, DCAS is used to implement single- or automatic-sign-on workflows that enable users to sign on to Enterprise Server for .NET without manually entering a user ID and password.

Because DCAS is an authentication mechanism that provides access to Enterprise Server for .NET functionality, it is supplied in a secure-by-default configuration, and is not enabled by default.

You can implement DCAS to work either internally with the Express Logon Facility, or externally to support advanced authentication systems such as Automated Sign-On for Mainframe.

Internal implementation for ELF

An internal DCAS implementation for use with the Express Logon Facility (ELF) is configured to use the following:

Certificate function
Given a certificate, DCAS returns an associated user ID and a passticket, which is a short-lived single-use password for that user. These are used by the Express Logon Facility to log a user onto Enterprise Server .NET. See Certificate Mapping in DCAS and CICS Region Security for DCAS for details.
Note: The certificate function is also supported by other interfaces that identify users by certificate, such as Web interfaces.
TN3270 listener channel
To enable DCAS internally, configure a TN3270 listener channel to support the Express Logon Facility, which then invokes DCAS. Using DCAS internally this way prevents DCAS from being exposed to other callers. The channel must permit or require client certificates. See TN3270 Client and Listener Channel and Certificate Mapping in DCAS for details.
Note: ELF invokes the DCAS service using an internal mechanism. It is not necessary to create a DCAS listener channel for this purpose.
Security
DCAS requires an External Security Facility (ESF) Security Configuration defined to include at least one Security Manager that uses the LdapEsm module, and has passtokens enabled.

When a sign-on attempt is made via ELF, it invokes DCAS to perform certain security checks using the External Security Facility. Credentials are returned only for users who:

  • Have sign-on privileges
  • Are permitted to generate passtokens
  • Have the appropriate access level granted by the PTKTDATA resource class
See CICS Region Security for DCAS for details.
DCAS transaction
To use DCAS with the Express Logon Facility, the DCAS transaction must be defined in the Enterprise Server for .NET CICS region. See DCAS Transaction Configuration for details.

External implementation

An external DCAS implementation is configured to use the following:

User ID function
Given a user ID, DCAS returns a passticket for that user only. This function is used by some advanced authentication systems such as the Automated Sign-on for the Mainframe facility implemented in the Micro Focus Host Access Management and Security Service.
Certificate function
The certificate function is also available in the external implementation, just as it is in the internal implementation.
DCAS listener channel
To enable DCAS externally, configure a TLS-secured DCAS listener channel that permits or requires client certificates. This invokes DCAS directly in the CICS region associated with the channel, which is required when using an advanced authentication system such as Automated Sign-On for Mainframe. See Defining a DCAS listener channel for details.
Security
As with an internal implementation, define an ESF Security Configuration to include at least one Security Manager that uses the LdapEsm module.