Express Logon Feature – IBM Host Access Client Package

In a previous blog, I had written about different Single Sign On options in IBM Host On-Demand.

One of the options specified there is Certificate Express logon. This is proprietary to mainframes only and works only with 3270 sessions. Using this feature, 3270 display sessions can be configured to connect to the host without requiring you to enter a user ID and password. When this feature is enabled on the mainframe, a telnet client like IBM Host On-Demand, can pass certificate information from an SSL connection and the application ID from a macro, to request a user ID and a PassTicket (a temporary password) from the mainframe. Using this combination, a user can be logged on automatically.

​Refer to the diagram below that explains the flow of a session configured with Express Logon Feature.

The following sections brief the configuration requirements on the mainframe and on the telnet client (which can be IBM Host On-Demand or IBM Personal Communications).

On the mainframe:

1. Configure the TN3270 server to require server and client authentication for initial hand shake.
2. Configure RACF to add a client certificate for the user ID that you plan to use for logon.
3. Enable PassTicket profile for the application ID + system ID combination. For example, if TSO is the application for which you want to use ELF, and SYS1 is the system ID of your mainframe host, then you need to enable PassTicket profile for appl ID = TSOSYS1.
4. Configure DCAS server to support Express Logon Feature.

In IBM Host On-Demand:
1. Install the client certificates on your browser or a local keystore.

​2. Create a new display session to the mainframe host, provide the appropriate port, and SSL details – refer to the figure below for configuration details on the connection page. 

3. For SSL details, make sure you enable Client authentication and provide details of client certificate – refer to the figure below for configuration details on the TLS/SSL page. If you plan to store the server’s certificate in a trust store, you can disable “Add MSIE browser’s keyring”, and put the server certificate in HOD’s trust store.

​4. Depending on where you keep the client’s certificate, select the appropriate Certificate Source – you will be prompted for the certificate password when HOD attempts to make a connection to the host. 

5. Record a new macro in the session, and enable “Certificate” under “Express Logon Feature” when recording the macro. Provide the APPLID as the value that you provided in step 3 of “On the mainframe” section above. Continue to record a normal logon macro and set it as “Auto Start”. Save the macro. Refer to this link to get more information on how to record the macro and what inputs to provide. 

 6. The recorded macro above will contain the ELF tokens of “)USR.ID(“ and “)PSS.WD(“. These are the ones that are replaced with User ID and PassTicket when the macro is executed.

7. Close and re-open the session. You will be prompted for your certificate password. Once you provide your password, the credentials are automatically filled by the macro and logon is completed successfully.

​Similar steps need to be followed if you are using IBM Personal Communications as the client for Express Logon – refer to PCOMM documentation for more information.
 
More information:
For more information on ELF, refer to z/OS documentation here.
For more information on detailed configuration options, refer to Host On-Demand documentation here.


Vatsala Ramachandran
QA Manager, HACP & HATS 
vatsala.r@hcl.com


IBM Host On-Demand and IBM Personal Communications are trademarks of IBM Corporation in at least one jurisdiction and used under license.