Configuring a region for Express Logon Feature

This topic guides you through the steps required to configure an enterprise server region with Mainframe Subsystem Support to enable ELF functionality. The region must be secured with a Security Manager which allows you to generate and sign on with passtokens. See ESF Passtokens for more information.

You must add a new DCAS listener to the region:

  1. Start the Enterprise Server Administration home page, and then click Edit for the region you want to create the listener for.
  2. Click the Listener tab, and then click Add.
  3. In the Support Conversation Type group, click Custom.
  4. In the field next to the Custom option, type dcas.
  5. Configure the listener as required. DCAS listeners must be configured for SSL communication. See DCAS conversation type and Secure Communications (SSL) for more information.
    Note: Micro Focus recommends you configure both the DCAS and TN3270 listeners with the same SSL server certificate and key. Failure to do so might result in users being able to incorrectly acquire or fail to acquire passtokens from DCAS.
  6. Use the cascertreg command line utility to map a user certificate to a user ID. You can do this by using the command line utility cascertreg. See cascertreg for more information.
    Note: Regions that use certificate mapping for CICS Web Interface can use the same certificate mappings for DCAS.
  7. You might need to perform additional configuration for an existing TN3270 listener, either to configure SSL or explicitly reference a DCAS connector. Depending on how your users' certificates are created, you might need to configure the Maximum Chain Length and Match Client Hostname settings. See To set certificate validation options and TN3270 conversation type for more information.

Once these steps are complete, users need to configure their clients to allow ELF negotiation, also referred to as Certificate Express Logon (CEL), and to connect using their certificate. Once this is done the user is able to log on to the server using their certificate as identification. The logon process itself is often performed using a macro which inserts the two well-known placeholder strings into the logon fields, which the server sees and replaces with the mapped username and passtoken. These strings are:

")USR.ID("
For the username.
")PSS.WD("
For the password.
Parent topic: Multi-Factor Authentication
Related reference
cascertreg
DCAS conversation type
ESF Passtokens
TN3270 conversation type