Express Logon Feature

Users accessing SNA applications using Telnet clients such as Host On Demand are generally required to know the user ID and password for the application they want to access. The ID-and-password authentication process creates several potential problems. For example, users may forget their IDs and passwords. If they do forget, the passwords must be reset by a system administrator, a time-consuming process. On the other hand, writing down the IDs and passwords or sharing them with someone else creates a security risk, especially because passwords are usually valid for relatively long periods of time.

IBM®'s solution to these problems is the Express Logon Feature (ELF), a process which allows a user on a workstation with a Telnet client and an X.509 certificate to log on to an SNA application without entering an ID or password. The Express Logon Feature is supported on two-tier and three-tier network designs. The two-tier design uses the z/OS® TN3270E Telnet server. The three-tier design uses a middle-tier Telnet server and a Digital Certificate Access Server (DCAS).

Figure 1. Express Logon network
Diagram that shows both the three-tier solution and the two-tier solution of the express logon feature
Both network designs require a Telnet client emulator that supports:
  • Transport Layer Security (TLS) or Secure Sockets Layer (SSL) connections with client authentication and an X.509 certificate. Using RACF® services in z/OS, the client certificate must be associated with a valid user ID.
  • The Express Logon Feature (ELF).

The two-tier design requires the z/OS TN3270E Telnet server with TLS/SSL, client authentication, and Express Logon functions turned on. See Express Logon Feature for server setup information.

The three-tier design requires a middle-tier Telnet server that includes a Digital Certificate Access Requester (DCAR) and the z/OS Digital Certificate Access Server (DCAS). A middle-tier Telnet server, so called because it is not on the host, but rather between the Telnet client emulator and the host.

Note: The term DCAR is used to describe the part of the Telnet middle-tier server that supports the Express Logon Feature and communicates as a client with the DCAS. It is not separate from the Telnet middle-tier server. The term DCAR might not be used in other information that describes ELF but has been used here to simplify the description of this function.

A Digital Certificate Access Server (DCAS) exists on the host. DCAS uses RACF services to obtain a user ID that has been mapped to a digital certificate.

The host also provides RACF Secured Signon services, which the DCAS or the z/OS host TN3270E Telnet server uses to generate a PassTicket. A PassTicket is a RACF token similar to a password except that it is valid only for ten minutes. Additionally, the z/OS TN3270E Telnet server might use a Multi-Factor Authentication (MFA) token that was generated by IBM MFA for z/OS.

In a typical scenario, an ELF-enabled client wants to log on to a TSO application on the host.
  • In the two-tier design, the user starts a secure connection with level 2 client authentication, which passes the client certificate to the TN3270E Telnet server. The TN3270E Telnet server uses either RACF MFA services to retrieve a user ID and an MFA token or uses RACF Secured Signon services to obtain a user ID and PassTicket.
  • In the three-tier design, the user starts the Telnet connection to the middle-tier Telnet server. The client of the DCAS is the middle-tier Telnet server or DCAR, which attempts to log on to an SNA application for the client emulator. The DCAS receives a digital certificate from the DCAR and returns a user ID and PassTicket. Secure communication is used between the DCAS and the DCAR. The server recognizes that the client wants the Express Logon function and invokes the DCAR, which opens a secure connection with client authentication and passes the client's certificate and application name to the DCAS on the host. The DCAS uses RACF Secured Signon services to obtain a user ID and PassTicket, which the DCAS returns to the DCAR. The DCAR passes this information back to the middle-tier Telnet server.

In both cases the ELF-enabled client and server now have enough information to complete the logon to TSO. This occurs without the user ever having to enter a user ID or password.

Note: You can use RACF or any other SAF-compliant security product that supports MFA (for the two-tier design) or PassTickets with Express Logon.