Translate page

Express Logon

Owned by Julio Rios (Unlicensed)
Last updated: May 02, 2017
2 min read


The IBM Express Logon Feature (ELF) allows a Telnet client that supports Secure Sockets Layer (SSL) connections with client authentication and an X.509 certificate to automatically log on to a host without transmitting the user name or password.  The client certificate must be associated with a valid user ID using RACF services.

This feature allows easier user name and password handling for system Administrators.  Security is increased because the actual user information is never sent over the network.  This means that the user name and password can not be intercepted and decrypted.

For Express Logon to work, the following conditions must be met:

  • The host must support RFC 1572 as well as Express Logon

  • The host and client must support the Secure Socket Layer (SSL) protocol

  • The client must have a Digital Certificate associated with a valid user ID on the mainframe

  • You must create a user logon script and associate it with the session

When Express Logon is used, the host and client first negotiate a normal SSL connection.  After establishing the connection, they  negotiate the Telnet Environment option (based on RFC 1572) during which both indicate that they support Express Logon.  After the connection has been established, a user script is executed that first enters the host application ID.  Then the client sends the IBM Elf application ID and indicates that he wants to start the Express Logon.  Finally, placeholders for the user ID and password are sent to the host.  The host uses the actual user ID and password that are associated with the previously sent client certificate to log the user on to the application.


Here is a sample Express Logon script:

 

REM

REM - ELF LOGON SCRIPT FOR XYZ SERVER

REM

REM - TO USE THIS SCRIPT, YOU MUST ENABLE SSL CONNECTION AND SELECT

REM - A VALID CLIENT CERTIFICATE RECOGNIZED BY THE HOST

REM

 

REM - Wait for the initial connection and SSL handshake to finish.  The

REM - text to look for may vary for different applications

LOOKFOR "Application Required."

 

REM - Enter the host application ID (this may vary for your script)

TYPE TSO

KEY ENTER

 

REM - Wait for the user id screen (where you would normally enter your user ID)

REM - The text to look for depends on your host application

LOOKFOR "ENTER USERID"

 

REM - Send the IBM ELF application id (in this case TSOQLT1)

REM - This must be done just before entering the user ID placeholder.

ELF_LOGON TSOQLT1

 

REM - Enter the user id placeholder

ELF_USER

KEY ENTER

 

REM - Wait for password screen

LOOKFOR "Password  ===>"

 

REM - Enter password placeholder

ELF_PASSWORD

KEY ENTER

 

The ELF_PASSWORD and ELF_USER commands only send placeholders to the host which are then substituted by the host for the real user ID and password associated with the previously sent client certificate.

Â