Connect 3270 Sessions using the Express Logon Feature (ELF)

Use this procedure to configure a 3270 session to connect to the host using the Express Logon Feature (ELF) Also referred to as single sign-on (SSO), express logon is an IBM mainframe feature that lets users log on and connect to the host without entering a user ID and password each time. Express Logon authenticates the user on the mainframe by using her SSL client certificate in lieu of entering a user ID and password. .

This procedure includes four parts:

  1. Configure the host for ELF

  2. Install digital certificates on the host and client

  3. Configure ELF for a 3270 session

  4. Record the connect macro that logs on using the ELF token values

    NOTE:If you connect to the host using ELF through the Reflection Management and Security Server you must configure End-to-End encryption from the Administrative Webstation. For more information, see the Reflection Installation and Deployment Guide.

To configure the Host for ELF

  1. Configure the host to support SSL/TLS connections.

  2. Configure ELF and note the applid value.

For instructions, see the documentation included with the IBM host.

To install digital certificates on the host and client

To make connections using ELF, all Reflection users must have both host and personal certificates installed. (If the certificates are from a trusted Certificate Authority, you only need to install personal certificates.) For more information, refer to Technical Note 1757.

To configure ELF for a 3270 session

  1. Create a new 3270 session document:

    1. Specify the Host name/ IP Address. If your configuration requires the host name to match the certificate, enter the name that exactly matches the CommonName or the SubjectAltName field specified in the host certificate.

    2. Specify the Port used for SSL connections by your host. This is configured by the IBM host administrator.

  2. Select the Configure additional settings check box and click OK.

  3. Under Host Connection, click Configure Connection Settings.

  4. (Recommended) Under Host Connection Options, When connection is terminated, choose Leave disconnected.

    Because you are configuring automatic logon, your user name and password are no longer necessary. This means you will be logged back in immediately after every log off if the default Reconnect automatically is selected. If you prefer to leave Auto Reconnect on while you're working, you can create a logoff macro that turns off this setting just prior to logging off.

  5. Click Configure > Advanced Connection Settings.

  6. Scroll down to Security and in the ELF application ID box, enter the applid value from the host.

  7. Click Security Settings and in the Security Properties dialog box, do the following:

    1. Select Use SSL/TLS security.

    2. (Optional) Change the values for Encryption stength and SSL/TLS version.

    3. Specify a value for ELF application ID. For example, the application ID (applid) for TSO is TSO+smfid (located in the SMFPRMxx member of SYS1.PARMLIB). For additional information, refer to the IBM system documentation.

  8. Save your settings.

To record a connect macro that logs on using the ELF token values

  1. Open the 3270 session file you just created. (You should be connected but not yet logged on.)

  2. Start the macro recorder.

  3. Log on using a valid user name and password. (Editing your macro will be easiest if you don't include your user name when you enter the logon command. Type the logon, press Enter, then type your user name.) You will edit the macro to remove specific user information and replace it with ELF token values that support logon by any authenticated user.

  4. Stop the macro recorder.

  5. In the Stop Recording dialog box, name the macro (for example "ELF logon"), select Make this the connect macro, and Click OK.

  6. Open the Visual Basic Editor.

  7. Edit the TransmitANSI statement that sends your user name. Remove your user name and replace it with the ELF token )USR.ID(. The edited line will look like this:

    .TransmitANSI ")USR.ID("
    
  8. Comment out or delete the line that uses the GetPassword method to set the password. Replace it with a new line that sets the password variable equal to the ELF password token )PSS.WD(. The modified code should look like this:

    Dim hostpassword As String
    'hostpassword = .GetPassword(" Password ===>", "", "", "")
    hostpassword = ")PSS.WD("
    .TransmitANSI hostpassword
    
  9. Save the session file.

  10. Connect using the modified Reflection session. You should connect and be logged in without having to enter a user name and password.