Configuring a region for Express Logon Feature

This topic guides you through the steps required to configure an enterprise server region with Mainframe Subsystem Support to enable ELF functionality. The region must be secured with a Security Manager which allows you to generate and sign on with passtokens. See ESF Passtokens for more information.

As of Enterprise Server versions 5.0 Patch Update 9 and 6.0, a DCAS listener is no longer required for ELF. You can either add a DCAS listener (or use an existing one), or configure your TN3270 listener to use DCAS in "internal" mode. A DCAS listener is useful if you need it for other purposes, such as Automated Sign-On for Mainframe. Otherwise, Micro Focus recommends using internal DCAS to avoid any possible additional security exposure from a DCAS listener.

To add a new DCAS listener to the region:

  1. Start the Enterprise Server Administration Home page, and then click Edit for the region you want to create the listener for.
  2. Click the Listener tab, and then click Add.
  3. In the Support Conversation Type group, click Custom.
  4. In the field next to the Custom option, type dcas.
  5. Configure the listener as required. DCAS listeners must be configured for SSL communication. See DCAS conversation type and Secure Communications (SSL) for more information.
    Note: Micro Focus recommends you configure both the DCAS and TN3270 listeners with the same SSL server certificate and key. Failure to do so might result in users being able to incorrectly acquire or fail to acquire passtokens from DCAS.

To use internal DCAS:

  1. Start the Enterprise Server Administration Home page, and then click Edit for the region you want to create the listener for.
  2. Click the Listener tab, and then click Edit for your TN3270 listener.
  3. In the TN3270 listener's configuration text area, add the following:
    [DCAS Certificate]
    certificate directory=path-to-certificate-registration-directory
    where path-to-certificate-registration-directory is the full path to the directory where you will keep your certificate registrations. See Understanding certificate registration and cascertreg for more information.
  4. You might want to configure additional parameters for internal DCAS in the TN3270 listener configuration areas using the [DCAS Operation] and [DCAS Tracing] sections. See DCAS conversation type for more information.

To complete ELF configuration:

  1. Use the cascertreg command line utility to map a user certificate to a user ID. See cascertreg for more information.
    Note: Regions that use certificate mapping for CICS Web Interface can use the same certificate mappings for DCAS.
  2. You might need to perform additional configuration for an existing TN3270 listener, either to configure SSL or explicitly reference a DCAS connector. Depending on how your users' certificates are created, you might need to configure the Maximum Chain Length and Match Client Hostname settings. See To set certificate validation options and TN3270 conversation type for more information.

Once these steps are complete, users need to configure their clients to allow ELF negotiation, also referred to as Certificate Express Logon (CEL), and to connect using their certificate. Once this is done, users can to log on to the server using their certificate as identification. The logon process itself is often performed using a macro that inserts the two well-known placeholder strings into the logon fields, which the server sees and replaces with the mapped user ID and passtoken. These strings are:

For the user ID.
For the password.

See DCAS Security for additional information regarding DCAS security considerations and features.