Users accessing SNA applications using Telnet clients such as Host On Demand are generally required to know the user ID and password for the application they want to access. The ID-and-password authentication process creates several potential problems. For example, users may forget their IDs and passwords. If they do forget, the passwords must be reset by a system administrator, a time-consuming process. On the other hand, writing down the IDs and passwords or sharing them with someone else creates a security risk, especially because passwords are usually valid for relatively long periods of time.
IBM's solution to these problems is the Express® Logon Feature (ELF), a process which allows a user on a workstation with a Telnet client and an X.509 certificate to log on to a SNA application without entering an ID or password. The Express Logon Feature is supported on two-tier and three-tier network designs. The two-tier design uses the z/OS® TN3270E Telnet server. The three-tier design uses a middle-tier Telnet server and a Digital Certificate Access Server (DCAS).
Both network designs require a Telnet client workstation that supports Secure Sockets Layer (SSL) connections with client authentication and an X.509 certificate. Using RACF® services in z/OS, the client certificate must be associated with a valid user ID. The only client-side product that supports the Express Logon Feature is the IBM® WebSphere® Host On Demand V5.0 and later releases.
The two-tier design requires the z/OS TN3270E Telnet server with SSL, client authentication, and Express Logon functions turned on. See Express Logon Feature for server setup information.
A Digital Certificate Access Server (DCAS) exists on the host. DCAS uses RACF services to obtain a user ID that has been mapped to a digital certificate.
The host also provides RACF Secured Signon services, which the DCAS or the MVS™ host Telnet server use to generate a PassTicket. A PassTicket is a RACF token similar to a password except that it is valid only for ten minutes.
In both cases the ELF-enabled client and server now have enough information to complete the logon to TSO. This occurs without the user ever having to enter a user ID or password.