Technical Notes

Using Express Logon in Reflection for the Web
Technical Note 1878
Last Reviewed 22-Dec-2005
Applies To
Reflection for the Web version 8.5
Summary

In version 8.5, you can configure Reflection for the Web to use express logon through RACF. The express logon feature enables you to configure 3270 sessions that connect without requiring you to enter a user ID and password.

Configuring the express logon feature is a multi-step process:

A. Configuring the Host

Ensure that the host is configured to support express logon and has an SSL certificate:

1. Verify that express logon is enabled on the mainframe host and telnet server. The EXPRESSLOGON paramater must be included in the TELNETPARMS block as shown in the following example:

2. The mainframe host must have an SSL certificate. See Technical Note 1760 for instructions.

B. Configuring the Emulator Applet to Trust the Host Certificate

You must import the mainframe SSL certificate into Reflection for the Web for the emulator applet to trust the host certificate. To do this, follow these steps:

1. Launch the Administrative WebStation and go to Tools > Security Setup > Certificates tab.
2. Under Administer Terminal Emulator Applet Trusted Certificate List, select the link for "View or modify certificates trusted by the terminal emulator applet."
3. If your host's SSL certificate is a CA-signed certificate, check the Trusted Root Certificate Authorities section to see if the Certificate Authority (CA) that signed your host certificate is listed. If it is not listed, click the Import button and follow the instructions to import the host certificate.

C. Configuring User Requirements for Express Logon

In order to use express logon, users must already have an account on the host, and users must have registered their client certificate with RACF.

If a user has been using express logon with another client, then this step is already complete.

Express logon can be accomplished with either client certificates in a file or on Smart Cards:

• Configuring Client Certificate Support

• Enabling Smart Card Support on the Reflection for the Web Management Server:

1. Enable smart card support by opening the Administrative WebStation Tools > Security Setup > Security tab.
2. Scroll to "Designate smart card libraries."
3. Enter the names of any smart card libraries that are installed on client machines with smart card readers. Do not include file extensions (for example, .dll.)

D. Configuring Reflection Sessions to Use Express Logon

Configure a 3270 web-based Reflection session as follows:

1. Create and launch a 3270 session:
   1. In the Administrative WebStation, click Tools > Session Manager.
   2. In Session Manager, click the Add button.
   3. In the Add New Reflection Session page, select the Web-based IBM 3270 option, enter a name for the session, and click the Continue button.
   4. Configure the menu level and other items as needed, and then click the Launch button. The Reflection Session should launch in a separate window so that you can configure it.
2. Configure security settings in the Reflection session:

1. Under "Secure Session: Host name or IP address," enter the destination host name or IP address and the destination port. Enter the port that the host telnet server is configured to use for SSL.
2. Modify the transport and other options as needed.
3. In the drop-down list at the bottom of the Session Setup dialog box, select "Record an express logon macro."
4. Click the Connect button.

3. Record the logon macro:
   1. Manually complete a logon with a user name and password that will take you to the same screen that is the target screen for your users. (Note that the user name and password used for recording the macro is not retained; it is just a vehicle for recording the macro.)
   2. When you have completed the logon process (or navigated to the target screen), click Macro > Stop Recording.
4. Enter the following information in the Save Macro dialog box:
   1. Macro name.
   2. Description.
   3. "Wait for host screens" value. For example, you may want to increase the value if the response from the host is slow.
   4. Express logon application id.

5. Verify that the values for "Specify row containing the user id" and "Specify row containing the password" are correct. The default values are usually acceptable.
6. Save the macro.
5. Log off the host, and then save and exit the session.
6. In Reflection, open Access Mapper and map the session to users.
7. Test the session by launching it as a user. (Macros do not run when launching the session from within the Administrative WebStation.)

Smart Card Users—note the following:

• If you are using Smart cards, note that there is no prompt for the card—the user must have the card inserted before the terminal session launches. Advise your users to insert their card before they select the session from the Links List. Otherwise, they may receive a "certificate not found" error message.
• You may be prompted to enter your smart card pin.
• When the session launches, a pop-up may open asking the user to select a certificate from the card if there are multiple certificates on the card. The user must have already registered the appropriate certificate with RACF on the host, and must select that certificate when connecting to the host.

Express logon can also be configured to go through the Reflection for the Web security proxy. This is useful when the mainframe host address is not available externally. Contact Attachmate technical support for more information.

Related Technical Notes

1760	Connecting to z/OS or OS/390 Mainframe Using SSL and Reflection for the Web
1766	SSL Client Certificates and Reflection for the Web
1845	File Locations in Reflection for the Web