action.skip

Configuring MSS Automated Sign-On for Host Access

MSS Automated Sign-On for Host Access (ASO) enables an end user to automatically log on to a host application using a terminal emulation client and a one-time password (OTP). Automated Sign-On for Host Access is designed for non-z/OS systems.

The one-time password is obtained from the ASO service. It is time-limited and takes the place of the user's usual password. Use of a one-time password helps to increase the security of the host system because OTPs are short-lived, randomly generated, and can be used only once, making it more difficult to compromise a user's identity.

Automated Sign-On (ASO) settings need to be configured in different locations:

  • MSS: Edit settings on the server and in the Administrative Console.
  • the client: Create an automated login macro.
  • the host: Enable the use of one-time passwords.

Note

If you are using a z/OS system, refer to the Automated Sign-On for Mainframe - Administrator Guide to leverage the existing z/OS functionalities of DCAS and RACF.

Prerequisites

  • a separate license for MSS Automated Sign-On for Host Access Add-On product
  • an LDAP server for authorization
  • a Micro Focus terminal emulation client that supports ASO:
    • Reflection Desktop 18.0 or higher
    • InfoConnect Desktop 18.0 or higher
    • Host Access for the Cloud 3.0 or higher

Steps at a glance:

  1. Integrate the ASO protocol into your host system.
  2. Install the activation file.
  3. Enable the ASO service.
  4. Import the Host CA Certificate.
  5. Configure ASO in the MSS Administrative Console.
  6. Configure the client to use Automated Sign-On.
  7. Assign access to the automated sign-on sessions.

1. Integrate the ASO protocol into your host system

Use of MSS Automated Sign-On for Host Access requires custom programming on the host computer before you begin configuring.

Work with your Micro Focus sales representative to learn about the MSS Automated Sign-On for Host Access (ASO) protocol that you must implement on your specific host system. The host must be adapted to process one-time passwords issued by users during logon and validate them with the ASO service.

2. Install the activation file

The activation file for Automated Sign-On for Host Access is activation.automated_signon_for_hostaccess-<version>.jaw

You can install the activation file while installing MSS or via the MSS Administrative Console.

3. Enable the ASO service on the MSS server

  1. In the MSS Administrative Console, open Configure Settings - Automated Sign-on.

  2. Check Enable MSS Automated Sign-On for Host Access. If the check box is disabled, the activation file needs to be installed (step #2).

    When Automatic Sign-On is enabled:

    • it will be automatically scaled to one instance in a cluster.
    • you must select a certificate (see step #4).
    • other settings become available.

4. Import the Host CA Certificate

To establish trust with the host, click IMPORT CERTIFICATE and choose a CA certificate.

Note

  • The certificate must be in PEM format.

5. Configure ASO in the MSS Administrative Console

Configure the LDAP directory settings that are used to retrieve user names for Automated Sign-On to the host.

  • Configure a secondary LDAP directory when user names are stored in a directory that is different from the authenticating directory.
    Note: When secondary LDAP directory is enabled, other settings become available.

  • Specify a User Principal Name (UPN) when the UPN attribute in the authenticating directory starts with the user name. Example: username@domain.com

  • Note: When assigning ASO capabilities to sessions, you may specify an LDAP attribute from either directory as the source of the user name.

6. Configure the client to use Automated Sign-On

  1. Your Desktop emulator session must either be configured for centralized management or be launched from the Assigned Sessions page.

  2. In the MSS Administrative Console - Manage Settings, add a session that you want to make available for automatic login.

  3. In the launched session, record and edit a login macro.

    The steps to create a macro vary based on your specific emulator and session type. Refer to your emulator client's product documentation.

  4. Save the session.

7. Assign Access

After the client session is configured with an automated sign-on macro, you are ready to assign those sessions to users. See Search & Assign.

Be sure to click EDIT and set the Source of user name on host computer.