Configuration and Test Sequence - Express Logon Facility

Specifies the step-by-step sequence to follow when setting up and testing the Express Logon Facility (ELF) for use with an Enterprise Server for .NET CICS region.
Note: This is a technology preview feature only. It is being made available to allow you to test and provide feedback on this new capability; however, this feature is not intended for production use and it is not supported as such.

Implementation

ELF is usually used with a TN3270 client macro that automates the ELF sign-on process. For example, you could implement ELF as follows:

  • Issue client certificates to your users
  • Configure Enterprise Server for .NET to support ELF (see the Configuration section below)
  • Create a macro for your TN3270 emulator that:
    • Starts a sign-on transaction such as CESN
    • Fills in the user ID and password fields with ELF substitution strings
    • Submits the transaction

Configuration

CAUTION:
Because the UI overwrites the seelistener.exe.config file each time you save a change in the Listener Configuration Editor, we highly recommend that you do all configuration for seelistener.exe.config either from the UI or by editing the file directly, without mixing the two methods. As follows, we also recommend that you back up the seelistener.exe.config file each time before manually editing it or before making changes to it via the UI.

The following is a step-by-step list for configuring ELF to work on an Enterprise Server for .NET CICS region. For more specific information, refer to the related concepts and tasks listed at the bottom of this topic.

  1. Configure an existing or new TN3270 listener channel for SSL (TLS), allowing but not requiring client certificates. Do not enable ELF, and ignore DCAS-related settings at this time.
  2. Configure your TN3270 emulator to use SSL, and confirm that you can connect to the new listener channel and communicate with the region.
  3. Configure LDAP-based security for your region, if it is not already using it, and restart the region.
  4. Select one of the following certificate-mapping methods to use with ELF:
    • Subject CN, which affects how client certificates are created
    • LDAP, which affects where client certificates are stored
  5. Obtain a suitable client certificate. The issuing CA must be trusted by Windows on the system where the listener is running.
  6. If you are using LDAP certificate mapping, store the certificate in the userCertificate attribute of the associated user's LDAP object.
    Note: This is a standard Active Directory convention; see the Microsoft documentation for more information about the userCertificate attribute.
  7. Configure the SSL-enabled TN3270 channel to require client certificates, and enable ELF; then restart the listener.
  8. Configure your TN3270 emulator to use your client certificate.
  9. Confirm that you can still connect your client to the channel and communicate with the region.
  10. Configure the region's security for DCAS.
    Note: It is not necessary to configure a DCAS listener channel.
  11. Configure DCAS for the SSL-enabled TN3270 channel; then restart the listener.

Test

For a simple test of ELF processing:

  1. Clear the terminal session screen.
  2. Submit the following to CICS, being careful to type the command exactly as it appears here:
    ECHO )USR.ID(
    If you see ECHO user ID on the screen in the input area, where user ID is some string other than )USR.ID(, then ELF is working.
    Note: If you do not see the specified return text, look for a message beginning with DCAS Format1 Request in the region console message log to see whether or not DCAS was invoked.

Create a login macro

Create a login macro using the ELF tokens for your TN3270 client. Consult your TN3270 emulator documentation for assistance.