Configuring MSS Automated Sign-On for Host Access
MSS Automated Sign-On for Host Access (ASO) enables an end user to automatically log on to a host application using a terminal emulation client and a one-time password (OTP). Automated Sign-On for Host Access is designed for non-z/OS systems.
The one-time password is obtained from the ASO service. It is time-limited and takes the place of the user's usual password. Use of a one-time password helps to increase the security of the host system because OTPs are short-lived, randomly generated, and can be used only once, making it more difficult to compromise a user's identity.
Automated Sign-On (ASO) settings need to be configured in different locations:
- MSS: Edit settings on the server and in the Administrative Console.
- the client: Create an automated login macro.
- the host: Enable the use of one-time passwords.
Note
If you are using a z/OS system, refer to the Automated Sign-On for Mainframe - Administrator Guide to leverage the existing z/OS functionalities of DCAS and RACF.
Prerequisites
- a separate license for MSS Automated Sign-On for Host Access Add-On product
- an LDAP server for authorization
- a Micro Focus terminal emulation client that supports ASO:
- Reflection Desktop 18.0 or higher
- InfoConnect Desktop 18.0 or higher
- Host Access for the Cloud 3.0 or higher
Steps at a glance:
- Integrate the ASO protocol into your host system.
- Install the activation file.
- Enable the ASO service.
- Import the Host CA Certificate.
- Configure ASO in the MSS Administrative Console.
- Configure the client to use Automated Sign-On.
- Assign access to the automated sign-on sessions.
1. Integrate the ASO protocol into your host system
Use of MSS Automated Sign-On for Host Access requires custom programming on the host computer before you begin configuring.
Work with your Micro Focus sales representative to learn about the MSS Automated Sign-On for Host Access (ASO) protocol that you must implement on your specific host system. The host must be adapted to process one-time passwords issued by users during logon and validate them with the ASO service.
2. Install the activation file
The activation file for Automated Sign-On for Host Access is activation.automated_signon_for_hostaccess-<version>.jaw
You can install the activation file while installing MSS or via the MSS Administrative Console.
- To install while installing MSS, see the MSS Deployment Guide.
- To use the MSS Administrative Console, see Installing an Activation File for an Additional Product.
3. Enable the ASO service on the MSS server
-
In the MSS Administrative Console, open Configure Settings - Automated Sign-on.
-
Check Enable MSS Automated Sign-On for Host Access. If the check box is disabled, the activation file needs to be installed (step #2).
When Automatic Sign-On is enabled:
- it will be automatically scaled to one instance in a cluster.
- you must select a certificate (see step #4).
- other settings become available.
4. Import the Host CA Certificate
To establish trust with the host, click IMPORT CERTIFICATE and choose a CA certificate.
Note
- The certificate must be in PEM format.
5. Configure ASO in the MSS Administrative Console
Configure the LDAP directory settings that are used to retrieve user names for Automated Sign-On to the host.
-
Configure a secondary LDAP directory when user names are stored in a directory that is different from the authenticating directory.
Note: When secondary LDAP directory is enabled, other settings become available. -
Specify a User Principal Name (UPN) when the UPN attribute in the authenticating directory starts with the user name. Example: username@domain.com
-
Note: When assigning ASO capabilities to sessions, you may specify an LDAP attribute from either directory as the source of the user name.
6. Configure the client to use Automated Sign-On
-
Your Desktop emulator session must either be configured for centralized management or be launched from the Assigned Sessions page.
-
In the MSS Administrative Console - Manage Settings, add a session that you want to make available for automatic login.
-
In the launched session, record and edit a login macro.
The steps to create a macro vary based on your specific emulator and session type. Refer to your emulator client's product documentation.
-
Save the session.
7. Assign Access
After the client session is configured with an automated sign-on macro, you are ready to assign those sessions to users. See Search & Assign.
Be sure to click EDIT and set the Source of user name on host computer.