3.5.10 Connect 3270 Sessions using the Express Logon Feature (ELF)

Use this procedure to configure a 3270 session to connect to the host using the Express Logon Feature (ELF) Also referred to as single sign-on (SSO), express logon is an IBM mainframe feature that lets users log on and connect to the host without entering a user ID and password each time. Express Logon authenticates the user on the mainframe by using her SSL client certificate in lieu of entering a user ID and password. .

This procedure includes four parts:

  • Configure the host for ELF

  • Install digital certificates on the host and client

  • Configure ELF for a 3270 session

  • Record the connect macro that logs on using the ELF token values

NOTE:If you connect to the host using ELF through a centralized management server, you must configure End-to-End encryption from the Administrative WebStation. For more information, see the InfoConnect Installation and Deployment Guide.

To configure the Host for ELF

  1. Configure the host to support SSL/TLS connections.

  2. Configure ELF and note the applid value.

For instructions, see the documentation included with the IBM host.

To install digital certificates on the host and client

To make connections using ELF, all users must have both host and personal certificates installed. (If the certificates are from a trusted Certificate Authority, you only need to install personal certificates.)

To configure ELF for a 3270 session

  1. Create a new 3270 session document:

    1. Specify the Host name/ IP Address. If your configuration requires the host name to match the certificate, enter the name that exactly matches the CommonName or the SubjectAltName field specified in the host certificate.

    2. Specify the Port used for SSL connections by your host. This is configured by the IBM host administrator.

  2. Select the Configure additional settings check box and click OK.

  3. Under Host Connection, click Configure Connection Settings.

  4. (Recommended) Under Host Connection Options, When connection is terminated, choose Leave disconnected.

    Because you are configuring automatic logon, your user name and password are no longer necessary. This means you will be logged back in immediately after every log off if the default Reconnect automaticallyis selected. If you prefer to leave Auto Reconnect on while you're working, you can create a logoff macro that turns off this setting just prior to logging off.

  5. Click Configure > Advanced Connection Settings.

  6. Scroll down to Security and in the ELF application IDbox, enter the applid value from the host. For example, the application ID (applid) for TSO is TSO appended with the smfid value (located in the SMFPRMxx member of SYS1.PARMLIB). For additional information, refer to the IBM system documentation.

  7. Click Security Settings and in the Security Propertiesdialog box, do the following:

    1. Select Use SSL/TLS security.

    2. (Optional) Change the values for Encryption strength and SSL/TLS version.

  8. Save your settings.

To record a connect macro that logs on using the ELF token values

  1. Open the 3270 session file you just created. (You should be connected but not yet logged on.)

  2. Start the macro recorder.

  3. Log on using a valid user name and password. (Editing your macro will be easiest if you don't include your user name when you enter the logon command. Type the logon, press Enter, then type your user name.) You will edit the macro to remove specific user information and replace it with ELF token values that support logon by any authenticated user.

  4. Stop the macro recorder.

  5. In the Stop Recordingdialog box, name the macro (for example "ELFLogon"), select Make this the connect macro, and Click OK.

  6. Open the Visual Basic Editor and then open the Recorded macro module.

  7. In the macro you recorded, edit the ibmCurrentScreen.SendKeys statement that sends your user name. Remove your user name and replace it with the ELF token )USR.ID(. The edited line should look like this:

    ibmCurrentScreen.SendKeys (")USR.ID(")

  8. Comment out or delete the lines that use the PasswordBox function to set the password. Replace it with a new line that sets the password variable equal to the ELF password token )PSS.WD(. The modified code should look like this:

     Rem hiddenTextEntry = ibmCurrentTerminal.Macro.PasswordBox("", "")
     Rem If (hiddenTextEntry = "") Then
     Rem     Err.Raise 5002, "Hidden TextEntry", <additional code on this line>... 
     Rem End If
     
     ibmCurrentScreen.SendKeys (")PSS.WD(")
  9. To set the macro you recorded to run after connection:

    1. Open the Settings window:

      The steps depend on your user interface mode.

      User Interface Mode

      Steps

      Ribbon or InfoConnect Browser

      From the Quick Access Toolbar, click .

      Classic

      On the Optionsmenu, select Settings.

    2. Select Configure Advanced Connection Settings.

    3. Under Connection Action, select Run a macro or other action after the initial connection and then click Select Action and select the macro you recorded.

    4. Select Run when reconnecting and then close the Settings window.

  10. Save the session file.

  11. Connect using the modified session. The connection macro you created should connect and log in. You should not have to enter a user name and password.