Connect 3270 Sessions using the Express Logon Feature
Use this procedure to configure a 3270 session to connect to the host using the Express Logon Feature (ELF).
note
Express Logon Feature (ELF) Also referred to as single sign-on (SSO), express logon is an IBM mainframe feature that lets users log on and connect to the host without entering a user ID and password each time. Express Logon authenticates the user on the mainframe by using her SSL client certificate in lieu of entering a user ID and password.
This procedure includes four parts:
-
Configure the host for ELF.
-
Install digital certificates on the host and client.
-
Configure ELF for a 3270 session.
-
Record the connect macro that logs on using the ELF token values.
note
If you connect to the host using ELF through the a centralized management server you must configure End-to-End encryption from the Administrative Webstation. For more information, see the Reflection Installation and Deployment Guide.
To configure the Host for ELF
-
Configure the host to support SSL/TLS connections.
-
Configure ELF and note the applid value.
For instructions, see the documentation included with the IBM host.
To install digital certificates on the host and client
To make connections using ELF, all Reflection users must have both host and personal certificates installed. (If the certificates are from a trusted Certificate Authority, you only need to install personal certificates.) For more information, refer to Knowledge Base Article 7021686.
To configure ELF for a 3270 session
-
Create a new 3270 session document:
-
Specify the Host name/ IP Address. If your configuration requires the host name to match the certificate, enter the name that exactly matches the CommonName or the SubjectAltName field specified in the host certificate.
-
Specify the Port used for SSL connections by your host. This is configured by the IBM host administrator.
-
-
Select the Configure additional settings check box and click OK.
-
Under Host Connection, click Configure Connection Settings.
-
(Recommended) Under Host Connection Options, When connection is terminated, choose Leave disconnected.
Because you are configuring automatic logon, your user name and password are no longer necessary. This means you will be logged back in immediately after every log off if the default Reconnect automatically is selected. If you prefer to leave Auto Reconnect on while you're working, you can create a logoff macro that turns off this setting just prior to logging off.
-
Click Configure Advanced Connection Settings.
-
Scroll down to Security and in the ELF application ID box, enter the applid value from the host. For example, the application ID (applid) for TSO is
TSO
appended with thesmfid
value (located in theSMFPRMxx
member ofSYS1.PARMLIB
). For additional information, refer to the IBM system documentation. -
Click Security Settings and in the Security Properties dialog box, do the following:
-
Select Use SSL/TLS security.
-
(Optional) Change the values for Encryption strength and SSL/TLS version.
-
-
Save your settings.
To record a connect macro that logs on using the ELF token values
-
Open the 3270 session file you just created. (You should be connected but not yet logged on.)
-
Start the macro recorder.
-
Log on using a valid user name and password. (Editing your macro will be easiest if you don't include your user name when you enter the logon command. Type the logon, press Enter, then type your user name.) You will edit the macro to remove specific user information and replace it with ELF token values that support logon by any authenticated user.
-
Stop the macro recorder.
-
In the Stop Recording dialog box, name the macro (for example "ELFLogon") and Click OK.
-
Open the Visual Basic Editor and then open the Recorded macro module.
-
In the macro you recorded, edit the
ibmCurrentScreen.SendKeys
statement that sends your user name. Remove your user name and replace it with the ELF token)USR.ID(
. The edited line should look like this:ibmCurrentScreen.SendKeys (")USR.ID(")
-
Comment out or delete the lines that use the
PasswordBox
function to set the password. Replace it with a new line that sets the password variable equal to the ELF password token)PSS.WD(
. The modified code should look like this:Rem hiddenTextEntry = ibmCurrentTerminal.Macro.PasswordBox("", "") Rem If (hiddenTextEntry = "") Then Rem Err.Raise 5002, "Hidden TextEntry", < additional code on this line>... Rem End If ibmCurrentScreen.SendKeys (")PSS.WD(")
-
To set the macro you recorded to run after connection:
-
Open the Settings window. The steps depend on your user interface mode.
-
If you are using the Ribbon or Reflection Browser, from the Quick Access Toolbar, click .
-
If you are using Classic mode, on the Options menu, select Settings.
-
-
Select Configure Advanced Connection Settings.
-
Under Connection Action, select Run a macro or other action after the initial connection and then click Select Action and select the macro you recorded.
-
Select Run when reconnecting and then close the Settings window.
-
-
Save the session file.
-
Connect using the modified session. The macro you created should automatically log in after you connect or reconnect. You should not have to enter a user name and password.