This topic guides you through the steps required to configure an
enterprise server region with Mainframe Subsystem Support to enable ELF functionality. The region must be secured with a Security Manager which allows
you to generate and sign on with passtokens. See
ESF Passtokens for more information.
As of
Enterprise Server versions 5.0 Patch Update 9 and 6.0, a DCAS listener is no longer required for ELF. You can either add a DCAS listener (or
use an existing one), or configure your TN3270 listener to use DCAS in "internal" mode. A DCAS listener is useful if you need
it for other purposes, such as Automated Sign-On for Mainframe. Otherwise,
Micro Focus recommends using internal DCAS to avoid any possible additional security exposure from a DCAS listener.
To add a new DCAS listener to the region:
- Start the
Enterprise Server Administration
Home page, and then click
Edit for the region you want to create the listener for.
- Click the
Listener tab, and then click
Add.
- In the
Support Conversation Type group, click
Custom.
- In the field next to the
Custom option, type
dcas.
- Configure the listener as required. DCAS listeners must be configured for SSL communication. See
DCAS conversation type and
Secure Communications (SSL) for more information.
Note: Micro Focus recommends you configure both the DCAS and TN3270 listeners with the same SSL server certificate and key. Failure to do so
might result in users being able to incorrectly acquire or fail to acquire passtokens from DCAS.
To use internal DCAS:
- Start the
Enterprise Server Administration
Home page, and then click
Edit for the region you want to create the listener for.
- Click the
Listener tab, and then click
Edit for your TN3270 listener.
- In the TN3270 listener's configuration text area, add the following:
[DCAS]
internal=yes
[DCAS Certificate]
certificate directory=path-to-certificate-registration-directory
where
path-to-certificate-registration-directory is the full path to the directory where you will keep your certificate registrations. See
Understanding certificate registration and
cascertreg for more information.
- You might want to configure additional parameters for internal DCAS in the TN3270 listener configuration areas using the
[DCAS Operation] and
[DCAS Tracing] sections. See
DCAS conversation type for more information.
To complete ELF configuration:
- Use the
cascertreg command line utility to map a user certificate to a user ID. See
cascertreg for more information.
Note: Regions that use certificate mapping for CICS Web Interface can use the same certificate mappings for DCAS.
- You might need to perform additional configuration for an existing TN3270 listener, either to configure SSL or explicitly
reference a DCAS connector. Depending on how your users' certificates are created, you might need to configure the
Maximum Chain Length and
Match Client Hostname settings. See
To set certificate validation options and
TN3270 conversation type for more information.
Once these steps are complete, users need to configure their clients to allow ELF negotiation, also referred to as Certificate
Express Logon (CEL), and to connect using their certificate. Once this is done, users can to log on to the server using their
certificate as identification. The logon process itself is often performed using a macro that inserts the two well-known placeholder
strings into the logon fields, which the server sees and replaces with the mapped user ID and passtoken. These strings are:
- ")USR.ID("
- For the user ID.
- ")PSS.WD("
- For the password.
See
DCAS Security for additional information regarding DCAS security considerations and features.