The DCAS server and the DCAS client use TLS to communicate. The TLS protocol uses a handshake in which the DCAS client and DCAS server authenticate each other, and they agree on how to encrypt/decrypt the data.
The cipher level used for encryption can be specified at the time DCAS is configured, using the V3CIPHER configuration keyword. The cipher level can also be set dynamically when DCAS starts, based on the level of cipher installed on the system. To set the cipher level dynamically, do not specify the V3CIPHER keyword.
TLS uses X.509 certificates and public/private keys (PKI). These keys are generated and stored in key databases, known as key rings.
The X.509 certificates can be created or obtained from a Certificate Authority. In either case, the certificate becomes part of a key ring. Various services are available for creating and managing key rings and certificates.
The RACDCERT command in RACF can be used to create, register, store, and administer keys and certificates. If you use RACDCERT, you should specify the key ring to the DCAS server in the configuration file using the SAFKEYRING keyword. A key ring created this way does not have a password file associated with it.
For more information on digital certificates, refer to these References: z/OS SecureWay Security Server RACF Security Administrator’s Guide and z/OS SecureWay Security Server RACF Command Language Reference.