Chapter 21. Express Logon Feature (ELF) 659
In addition, RACF APAR OW44393 is required when using one of the following:
TSO with Generic Resources and PTKTDATA Class profiles.
Applications with shared user IDs that could access the application
simultaneously. RACF requires the PTKTDATA profile to specify
APPLDATA(‘NO REPLAY PROTECTION’)
Note: An intermediate Telnet 3270 server can also be used if required.
21.3 Application requirements
In order for an application to be accessed using the Express Logon Feature, it
must satisfy the following requirements:
The target application must utilize RACF services for end-user login.
One of the following configurations must be in place for the Express Logon
environment:
– The target application must reside on the same host as the DCAS and
RACF servers.
– A shared RACF environment across multiple hosts must be in place for
each host on which any target applications reside, as well as the host
where DCAS and RACF are running.
– A PassTicket data class profile (PTKTDATA) must be defined on each
target RACF system (that is, the host where DCAS is running, and any
host where RACF and a target application are located).
Any application that uses RACF for logon validation should be a candidate for
setting up to use the Express Logon Feature. The following SNA applications
have been tested successfully:
TSO
CICS
IMS
Tivoli NetView for OS/390
21.3.1 RACF secured sign-on function
The secured sign-on function eliminates the need to send an RACF password
across the network and allows you to move the user authentication part of
signing on to an OS/390 application from RACF to another product or function.
End users of an application can use the PassTicket to authenticate their user IDs
and log on to computer systems that contain RACF.
660 IBM WebSphere Host Publisher Version 3.5
The RACF PassTicket is a one-time-only password that is generated by a
requesting product or function. It is an alternative to the RACF password that
removes the need to send RACF passwords across the network in clear text.
It makes it possible to move the authentication of a mainframe application user ID
from RACF to another authorized function executing on the host system or to the
workstation local area network (LAN) environment.
The RACF PassTicket only gives one user access to a specific application for
approximately ten minutes, so it is resistant to reuse. For most applications, once
a particular PassTicket is used, the same user cannot use it for the same
application during the same ten-minute interval.
You must register all Web browser client certificates with RACF. This associates
the certificates, which are passed by Host Publisher Server to the DCAS server,
with the IDs of users attempting to log on.
For more information on RACF commands, refer to OS/390 SecureWay Security
Server RACF Security Administrator's Guide and OS/390 SecureWay Security
Server RACF Command Language Reference.
RACF sign-on PassTicket
RACF provides an alternative to the normal RACF password that remains the
same for a specified time period (usually several weeks) until the user is
prompted to enter a new password. The RACF PassTicket is a password
generated dynamically on request from a product or function to be used only
once. Using PassTickets eliminates the need to repeatedly send RACF
passwords across the network as clear text in the 3270 data stream.
Of course, the 8-byte alphanumeric string of a PassTicket will not be encrypted
on a normal 3270 session data stream, unless a secure connection to the Telnet
3270 server is provided. But anybody trying to use a PassTicket that he/she has
recorded (by whichever means) will have only limited success. A PassTicket
expires within ten minutes. Express logon enforces encryption only on the
PassTicket request part of the data flows. The LU-LU session may use normal
SNA encryption, but this is not required.
The algorithm used to generate a PassTicket requires as input:
The RACF user ID that identifies the user on the system where the target
application runs.
The application name, as defined for the target application.
Get A Comprehensive Guide to IBM WebSphere Host Publisher Version 3.5 now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
