Configuring the Express Logon Facility

Describes the Express Logon Facility (ELF), which enables a TN3270 user to sign into Enterprise Server for .NET using an X.509 client certificate instead of providing a user ID and password.
Note: This is a technology preview feature only. It is being made available to allow you to test and provide feedback on this new capability; however, this feature is not intended for production use and it is not supported as such.
Note: This technology is also known as Certificate Express Login (CEL).

The Express Logon Facility processes client certificates to provide a seamless logon system for individuals and groups of users who access running applications via TN3270 clients. To do this, ELF utilizes several technologies available in Enterprise Server for .NET.

The following list introduces the technologies used by the Express Logon Facility and describes the sequence it follows to processes client certificates.

  1. A TN3270 client connecting to a TLS-enabled Enterprise Server for .NET listener channel has the opportunity to send a client certificate. If it does, Enterprise Server validates the certificate. If the client does not send a certificate, ELF is not enabled for the conversation, and depending on the channel configuration the client connection could be rejected.
  2. When a TN3270 client connects to the Enterprise Server for .NET listener, Telnet negotiation takes place. For ELF-enabled channels, this includes negotiating the standard Telnet NEW-ENVIRON option.
  3. An ELF-enabled TN3270 client requests ELF as part of the NEW-ENVIRON negotiation.
  4. When ELF is enabled for a conversation, the listener scans each TN3270 record received from the client for the ELF replacement strings )USR.ID( and )PSS.WD( (in EBCDIC). If either string is present, the listener performs ELF processing before submitting the request. Normally, these strings are inserted using a client macro as part of an automated sign-on process.
  5. When an ELF replacement string appears in a request, the listener invokes the Enterprise Server for .NET DCAS service to get the user's user ID and a passticket.
  6. DCAS takes the user's client certificate as input. It uses the Enterprise Server for .NET External Security Facility (ESF) to query the user ID associated with the certificate.
  7. If the certificate is successfully mapped to a user ID, DCAS then tells the External Security Facility to generate a passticket for the user. This involves some additional security checks:
    1. Is the user allowed to sign on?
    2. Is the user allowed to generate passtokens?
    3. Is the user allowed to use the DCAS service?
  8. DCAS responds to the listener with the user ID and passticket, or an error code.
  9. If DCAS is successful, the listener replaces all occurrences of )USR.ID( with the user ID, and all occurrences of )PSS.WD( with the passticket. Then, it submits the request to the dispatcher as it normally would.

The remaining topics in this section include further information on each technology mentioned above, and provides an ordered list of configuration tasks you must do to get ELF up and running on your Enterprise Server for .NET CICS region.

Important: After reviewing conceptual information, use the Configuration and Test Sequence - Express Logon Facility topic as your guide to implementing ELF.