Tom Have a look at z/OS Communications Server IP Configuration Guide APPENDIX1.3 Appendix C. Express Logon Feature. It may be what you want.
http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/F1A1B3B1/APPENDIX1.3 Chris Mason On Tue, 4 Dec 2012 14:25:26 -0500, Tom Ambros <[email protected]> wrote: >I apologize if this has been covered already, but I probably need to tell >somebody if this can be done before I read up and put the pieces together. > > >If I have an SSL-capable emulator, is it possible to validate the client >certificate and extract the userid (this part, at least, I know can be >done) and somehow persistently store it so that the RACF logon exits can >locate it and verify that the userid entered at the application logon >screen is the same userid that was presented in the client certificate? > >There are two factor authentication products that work at RACF logon but >they have their drawbacks, we're musing about the possibility of fitting >in with some of the distributed schemes for consistency's sake and closing >the gap where one can get on a workstation with one set of credentials and >then use another set that fell off the back of a truck to have a good old >time in ways that may be distasteful to some. The distributed schemes >involve seemingly robust what I have and what I know type processes and if >we can then implement something reasonably inobtrusive on zOS we'd be in >better shape. > >Thomas Ambros ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
