docmain.css" /> 5. Establish trust between the MSS Administrative Server and the DCAS server - Automated Sign-on for Mainframe - Administrator Guide

3.5 5. Establish trust between the MSS Administrative Server and the DCAS server

This step requires information about the DCAS server and is dependent on step 3. Configure DCAS and RACF on z/OS.

These settings in Management and Security Server are needed for testing, and can also be used in production.

3.5.1 Configure Settings - Automated Sign-on

Before you begin, obtain this information for each DCAS server (from your z/OS host administrator):

  • DCAS server name

  • DCAS server port

NOTE:When smart cards are used for authentication, configure those settings first, and then continue with these steps to configure Automated Sign-on.

See the MSS Help for more information about each setting.

  1. In the Administrative Console, click Configure Settings > Automated Sign-on.

  2. Check Enable automated sign-on to mainframe sessions.

  3. Enter the DCAS Server name and port number.

  4. If you choose to use a custom keystore filename and password, see Help for further instruction.

  5. Verify the server’s identity, and Test the connection.

  6. If you are using a secondary LDAP directory (Option B in Choose a data store option), check Enable secondary LDAP server.

    1. Enter the server-specific information for this LDAP server: Server type, Security options, Server name, Server port, User name, and Password.

    2. Enter details for the Directory search base. See Help for more information.

    3. When TLS/SSL is selected, you need to import the LDAP server's trusted certificate into the default trusted keystore. Click Import Certificate.

    4. Test Connection verifies the connection between the secondary LDAP server and the MSS Administrative Server. If the connection fails, consult the logs to resolve the issue.

  7. Under User Principal Name (UPN), enter the name of the LDAP attribute in the authenticating directory that contains the UPN value.

    This value is needed when assigning automated sign-on sessions that derive the mainframe user names from the UPN.

  8. If using a secondary LDAP server, enter information for the Search filter. See Help for more information.

    NOTE:Remember this selection. When you Assign Access, you are prompted to select the Method to obtain mainframe user name.

  9. Click Apply.

    The Initial Setup requirements are met for Management and Security Server.

  10. Next step: 6. Enable your emulator for automated sign-on

3.5.2 When smart cards are used for authentication

Configure these settings to manage the MSS Administrative Server certificate, the client certificate, and certificate signing requests.

  1. In Administrative Console, click Configure Settings > General Security.

  2. Scroll to Smart card settings. The default parameters specify the certificate attributes associated with the provider, SunPKCS11.

    • If you use SunPKCS11, you do not need to designate smart card libraries.

    • If you use a different provider, enter the smart card provider with the certificate attributes and designate the smart card libraries. For assistance, open Help and click the link for Smart card settings.

  3. Accept or change the default settings.

  4. Click Apply.

  5. Continue with Configure Settings - Automated Sign-on.

6. Enable your emulator for automated sign-on

Configuration Workflow