Users accessing SNA applications using Telnet clients such as Host On Demand are generally required to know the user ID and password for the application they want to access. The ID-and-password authentication process creates several potential problems. For example, users may forget their IDs and passwords. If they do forget, the passwords must be reset by a system administrator, a time-consuming process. On the other hand, writing down the IDs and passwords or sharing them with someone else creates a security risk, especially because passwords are usually valid for relatively long periods of time.
IBM's solution to these problems is the Express® Logon Feature (ELF), a process which allows a user on a workstation with a Telnet client and an X.509 certificate to log on to a SNA application without entering an ID or password. The Express Logon Feature is supported on two-tier and three-tier network designs. The two-tier design uses the z/OS® TN3270E Telnet server. The three-tier design uses a middle-tier Telnet server and a Digital Certificate Access Server (DCAS).
Both network designs require a Telnet client workstation that supports Secure Sockets Layer (SSL) connections with client authentication and an X.509 certificate. Using RACF® services in z/OS, the client certificate must be associated with a valid user ID. The only client-side product that supports the Express Logon Feature is the IBM® WebSphere® Host On Demand V5.0 and later releases.
The two-tier design requires the z/OS TN3270E Telnet server with SSL, client authentication, and Express Logon functions turned on. See Express Logon Feature for server setup information.
- CS2 6.1
- CS/NT 6.1.1 PTF
- CS/AIX 6.0.0.1 PTF
A Digital Certificate Access Server (DCAS) exists on the host. DCAS uses RACF services to obtain a user ID that has been mapped to a digital certificate.
The host also provides RACF Secured Signon services, which the DCAS or the MVS™ host Telnet server use to generate a PassTicket. A PassTicket is a RACF token similar to a password except that it is valid only for ten minutes.
- In the two-tier design, the user starts a secure connection with level 2 client authentication, which passes the client certificate to the TN3270E Telnet server. The TN3270E Telnet server uses RACF Secured Signon services to obtain a user ID and PassTicket.
- In the three-tier design, the user starts the Telnet connection to the middle-tier Telnet server. The client of the DCAS is the middle-tier Telnet server or DCAR, which attempts to log on to an SNA application for the workstation client. The DCAS receives a digital certificate from the DCAR and returns a user ID and PassTicket. Secure communication is used between the DCAS and the DCAR. The server recognizes that the client wants the Express Logon function and invokes the DCAR, which opens a secure connection with client authentication and passes the workstation's certificate and application name to the DCAS on the host. The DCAS uses RACF Secured Signon services to obtain a user ID and PassTicket, which the DCAS returns to the DCAR. The DCAR passes this information back to the middle-tier Telnet server.
In both cases the ELF-enabled client and server now have enough information to complete the logon to TSO. This occurs without the user ever having to enter a user ID or password.