At a minimum, you must register all workstation client certificates
with RACF® using the RACDCERT
command. This associates the certificates with the IDs of users who
are attempting to log on. In the two-tier solution, the certificate
is passed from the client to the TN3270E Telnet server. In the three-tier
solution, the certificate is passed from the client to the middle-tier
Telnet server, then to the DCAR, and then to the DCAS.
You must also create a RACF PTKTDATA
profile for each application ID the user is attempting to access.
The PTKTDATA profile allows the DCAS or z/OS® TN3270E
Telnet server to obtain a PassTicket and user ID for the application.
In the three-tier solution, the DCAS must pass the PassTicket and
user ID back to the DCAR. For Host On Demand, the application ID part
of the profile name must be the same as that configured in the Host
On Demand Express® Logon
Application ID popup window. In most cases, the application name with
which the user logs on will match the application ID portion of the RACF PTKTDATA class profile. However,
for TSO and some other applications, the names and IDs may not match:
- If VTAM® generic resources
are used for TSO, define the application name portion on the RACF profile using the TCASGNAM
defined in the TSOKEYxx, SYS1.PARMLIB member.
- If VTAM generic resources
are not used, define the application name on the RACF profile as TSO.
- When configuring for TSO application logon, use the format TSO<SID>
in the PassTicket profile, where SID is the SMF system ID defined
in the SMFPRMxx member of SYS1.PARMLIB. (For example, if the SID is
3390, you would type TSO3390 in the profile.) For details, see z/OS Security Server RACF Security Administrator's
Guide.
For applications that allow shared user IDs (multiple users request
access to the application simultaneously with the same user ID), you
must specify the APPLDATA('NO REPLAY PROTECTION') option on the RDEFINE
command in the PTKTDATA profile. This bypasses the default RACF protection against replay
of PassTickets.