Beginning in Reflection for IBM 13.0.1, Reflection 3270 sessions support the IBM Express Logon Feature (ELF). This feature enables you to configure 3270 Telnet sessions that connect without requiring you to enter a user ID and password. When this feature is enabled, the Telnet 3270 server uses certificate information from an SSL connection and the application ID supplied by Reflection to request a user ID and a PassTicket (a temporary password) from the IBM host access control program RACF.
To use this feature, the administrator must configure the host, install certificates if necessary on user computers, configure Reflection connection settings, and create a connect macro. These steps are outlined below.
Configure the Host
The administrator of your IBM host computer must configure ELF support on the host.
- SSL/TLS authentication is handled by digital certificates. You can use RACF or GSKKYMAN to create self-signed certificates on the host. You will need to create certificates to authenticate both the server and the client. An alternative to creating self-signed certificates is to acquire certificates from a trusted Certificate Authority (CA).
- In the TELNETPARMS block for your ELF port, you must add the EXPRESSLOGON parameter as shown in the example below:
KEYRING SAF TCPRing
- The PassTicket profile must be set to use RACF. This must be done for each application that uses a PassTicket. In the following example, TSO is used as a sample application. Note that the KEYMASKED parameter is an arbitrary hex string.
RDEFINE PTKTDATA TSOSYS1 SSIGNON(KEYMASKED(A1B2C3D4E5F6G7H8)) UACC(NONE)
SETR RACLIST(PTKTDATA) REFRESH
TSOSYS1 is the applid used in step 2 of the "Configure Reflection Connection Settings" section below.
Install Digital Certificates on Client Computers
To make connections using ELF, all Reflection users must have both host and personal certificates installed. (If the certificates are from a trusted Certificate Authority, you only need to install personal certificates.) For more information, KB 7021686.
Before you proceed to configure your ELF connection, confirm that you can make an SSL/TLS connection.
Configure Reflection Connection Settings
- On the Connection menu, click Session setup and then configure the following:
- Set Terminal Type to 3270.
- Set Transport to either Telnet or Telnet Extended.
- Specify a value for Host name or IP Address. (Depending on your configuration, you may need to enter a host name that exactly matches either the CommonName or the SubjectAltName field as specified in the host certificate.)
- Specify the Port used for SSL connections by your host. This is configured by the IBM host administrator.
- Click the Advanced button in the Session Setup dialog box and configure the following:
- Select Enable SSL.
- Specify a value for ELF applid. Contact the IBM host administrator for this information. For example, the applid for TSO is TSO+smfid (located in the SMFPRMxx member of SYS1.PARMLIB). For additional information, refer to the IBM system documentation.
- Click OK to close the Advanced 3270 Telnet and Session Setup dialog boxes.
- Turn off the Auto Reconnect setting as follows:
- Go to Setup > View Settings.
- Search for "Auto Reconnect" and set the value to No.
This change is recommended so you will not be automatically logged back in again after every logoff. When Auto Reconnect is enabled, Reflection always attempts to make a new connection after you disconnect. Because you are configuring automatic logon, your user name and password are no longer necessary, which means that you will be logged back in again immediately after every logoff.
Note: If you prefer to leave Auto Reconnect on while you're working, you can create a logoff macro that turns off this setting just prior to logging off.
- Save your settings.
Create a Connect Macro that Logs on Using the ELF Token Values
- Open the settings file you just created. (You should be connected but not yet logged on.)
- Start the macro recorder (Macro > Start Recording).
- Log on using a valid user name and password. (Editing your macro will be easiest if you don't include your user name when you enter the logon command. Type logon, press Enter, then enter your user name.) You will edit the macro to remove specific user information and replace it with ELF token values that support logon by any authenticated user.
- Stop the macro recorder (Macro > Stop Recording). In the Stop Recording dialog box name the macro (for example "ELF logon") and select Make this the connect macro. Click OK. (An alternate way to specify a connect macro is to use the Connect macroHDLG_CONNECTMACRO setting in the Session Setup dialog box.)
- Open the Visual Basic Editor (Macro > Macros > [select your macro] > Edit).
- Edit the TransmitANSI statement that sends your user name. Remove your user name and replace it with the ELF token )USR.ID(. The edited line will look like this:
- Comment out or delete the line that uses the GetPassword method to set the password. Replace it with a new line that sets the password variable equal to the ELF password token )PSS.WD(. The modified code should look like this:
Dim hostpassword As String
'hostpassword = .GetPassword(" Password ===>", "", "", "")
hostpassword = ")PSS.WD("
- Save the settings file.
- Connect using the modified Reflection session. You should connect and be logged in without having to enter a user name and password.