Terminal Emulation & Transformation Community
  • Home
  • Blogs
  • FORUM
  • About
  • Contact
  • Resources

Express Logon Feature – IBM Host Access Client Package

11/19/2018

1 Comment

 
Picture
In a previous blog, I had written about different Single Sign On options in IBM Host On-Demand.

One of the options specified there is Certificate Express logon. This is proprietary to mainframes only and works only with 3270 sessions. Using this feature, 3270 display sessions can be configured to connect to the host without requiring you to enter a user ID and password. When this feature is enabled on the mainframe, a telnet client like IBM Host On-Demand, can pass certificate information from an SSL connection and the application ID from a macro, to request a user ID and a PassTicket (a temporary password) from the mainframe. Using this combination, a user can be logged on automatically.

​Refer to the diagram below that explains the flow of a session configured with Express Logon Feature.

The following sections brief the configuration requirements on the mainframe and on the telnet client (which can be IBM Host On-Demand or IBM Personal Communications).

On the mainframe:
  1. Configure the TN3270 server to require server and client authentication for initial hand shake.
  2. Configure RACF to add a client certificate for the user ID that you plan to use for logon.
  3. Enable PassTicket profile for the application ID + system ID combination. For example, if TSO is the application for which you want to use ELF, and SYS1 is the system ID of your mainframe host, then you need to enable PassTicket profile for appl ID = TSOSYS1.
  4. Configure DCAS server to support Express Logon Feature.

In IBM Host On-Demand:
1. Install the client certificates on your browser or a local keystore.

​2. Create a new display session to the mainframe host, provide the appropriate port, and SSL details – refer to the figure below for configuration details on the connection page. 
Picture
3. For SSL details, make sure you enable Client authentication and provide details of client certificate – refer to the figure below for configuration details on the TLS/SSL page. If you plan to store the server’s certificate in a trust store, you can disable “Add MSIE browser’s keyring”, and put the server certificate in HOD’s trust store.

​4. Depending on where you keep the client’s certificate, select the appropriate Certificate Source – you will be prompted for the certificate password when HOD attempts to make a connection to the host. 
Picture
5. Record a new macro in the session, and enable “Certificate” under “Express Logon Feature” when recording the macro. Provide the APPLID as the value that you provided in step 3 of “On the mainframe” section above. Continue to record a normal logon macro and set it as “Auto Start”. Save the macro. Refer to this link to get more information on how to record the macro and what inputs to provide. 
Picture
 6. The recorded macro above will contain the ELF tokens of “)USR.ID(“ and “)PSS.WD(“. These are the ones that are replaced with User ID and PassTicket when the macro is executed.

7. Close and re-open the session. You will be prompted for your certificate password. Once you provide your password, the credentials are automatically filled by the macro and logon is completed successfully.

​Similar steps need to be followed if you are using IBM Personal Communications as the client for Express Logon – refer to PCOMM documentation for more information.
 
More information:
For more information on ELF, refer to z/OS documentation here.
For more information on detailed configuration options, refer to Host On-Demand documentation here.


Vatsala Ramachandran
QA Manager, HACP & HATS 
vatsala.r@hcl.com



IBM Host On-Demand and IBM Personal Communications are trademarks of IBM Corporation in at least one jurisdiction and used under license. 
1 Comment
best resume writing services link
11/7/2019 06:30:36 pm

This is definitely one that is worth it. I know that it is a pretty pricey package, but believe me, it is better in the long run. It is one time payment, but it is still better than most. You are going to have to pour in money for this, but if you really want to do it, then I suggest that you go and do it. I will support you and I will answer any question that you might have.

Reply



Leave a Reply.

    Archives

    May 2020
    October 2019
    July 2019
    June 2019
    May 2019
    March 2019
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    October 2017
    September 2017

    Categories

    All
    HACP
    HACPEE
    HATS
    HOD
    PCOMM

    RSS Feed

Proudly powered by Weebly
  • Home
  • Blogs
  • FORUM
  • About
  • Contact
  • Resources