DCAS (zOS Communications Server's Digital Certificate Access Server) has come to my rescue. From the docs:
The DCAS can be used by providers of logon and single sign-on services where access to z/OS-based applications is needed. The DCAS is a TCP/IP server that enables clients to connect over the network and obtain a passticket and z/OS user ID from RACF.It's the second time in a few months that DCAS is the solution to the problem that I'm working on; unfortunately, I had forgotten about the first time, so it has taken my a while to get rescued. Not a complete waste of time: if learned a few things about PKI and RACF.
Clients that connect to DCAS must use the SSL protocol (DCAS supports SSL Version 3). Client authentication is performed.
Clients can request a user ID and passticket for an application. The client sends an x.509 certificate. DCAS converts the x.509 certificate to a valid user ID, which is returned. The x.509 certificate must have been mapped to a valid user ID in RACF
The first time it was about a service to generate passtickets (strings that can be used as passwords for a short while). Despite my recommendation, the customer's choice was to not use DCAS and code it from scratch; go figure.
Now it is about authenticating to RACF from a application that uses a smartcard reader. I'm looking forward to code the smartcard-based RACF logon, since working with smartcards has been in my wish list for very long.
And since google and DCAS don't seem to be big friends, I'm posting this.