The IBM Express Logon Feature (ELF) allows a Telnet client that supports Secure Sockets Layer (SSL) connections with client authentication and an X.509 certificate to automatically log on to a host without transmitting the user name or password. The client certificate must be associated with a valid user ID using RACF services.
This feature allows easier user name and password handling for system Administrators. Security is increased because the actual user information is never sent over the network. This means that the user name and password can not be intercepted and decrypted.
For Express Logon to work, the following conditions must be met:
The host must support RFC 1572 as well as Express Logon
The host and client must support the Secure Socket Layer (SSL) protocol
The client must have a Digital Certificate associated with a valid user ID on the mainframe
You must create a user logon script and associate it with the session
When Express Logon is used, the host and client first negotiate a normal SSL connection. After establishing the connection, they negotiate the Telnet Environment option (based on RFC 1572) during which both indicate that they support Express Logon. After the connection has been established, a user script is executed that first enters the host application ID. Then the client sends the IBM Elf application ID and indicates that he wants to start the Express Logon. Finally, placeholders for the user ID and password are sent to the host. The host uses the actual user ID and password that are associated with the previously sent client certificate to log the user on to the application.
Here is a sample Express Logon script:
REM
REM - ELF LOGON SCRIPT FOR XYZ SERVER
REM
REM - TO USE THIS SCRIPT, YOU MUST ENABLE SSL CONNECTION AND SELECT
REM - A VALID CLIENT CERTIFICATE RECOGNIZED BY THE HOST
REM
REM - Wait for the initial connection and SSL handshake to finish. The
REM - text to look for may vary for different applications
LOOKFOR "Application Required."
REM - Enter the host application ID (this may vary for your script)
TYPE TSO
KEY ENTER
REM - Wait for the user id screen (where you would normally enter your user ID)
REM - The text to look for depends on your host application
LOOKFOR "ENTER USERID"
REM - Send the IBM ELF application id (in this case TSOQLT1)
REM - This must be done just before entering the user ID placeholder.
ELF_LOGON TSOQLT1
REM - Enter the user id placeholder
ELF_USER
KEY ENTER
REM - Wait for password screen
LOOKFOR "Password ===>"
REM - Enter password placeholder
ELF_PASSWORD
KEY ENTER
The ELF_PASSWORD and ELF_USER commands only send placeholders to the host which are then substituted by the host for the real user ID and password associated with the previously sent client certificate.