NOTE
This is
documented in the following IBM publications:Beginning with BlueZone version 5.1, the BlueZone Mainframe Display emulator has support for the IBM Express Logon feature, known as Certificate Express Logon. The BlueZone Express Logon feature allows you to configure BlueZone Mainframe Display sessions that automatically connect to an IBM Mainframe without requiring a user ID and password. When this feature is enabled, the Telnet server on the Mainframe uses certificate information from an SSL connection and the application ID supplied by BlueZone to request a user ID and a PassTicket (a temporary password) from the IBM host access control program RACF.
In order to use this feature, an administrator must configure the host, install certificates if necessary on user computers, configure BlueZone connection settings, and create and modify a BlueZone connection script (.bzs).
In TelnetParms:
TelnetParms
; DEBUG TRACE JOBLOG
SECUREPORT 993
KEYRING SAF your RACF keyring name
ENCRYPTION DEFAULT ENDENCRYPTION
Add the following three lines:
EXPRESSLOGON
CLIENTAUTH SAFCERT
CONNTYPE ANY
SSLTIMEOUT 120
NOSEQUENTIALLU
EndTelnetParms
NOTE
This is
documented in the following IBM publications:
RACDCERT CERTAUTH ADD('your CA dataset name') TRUST - withlabel('your CA label ')
RACDCERT ID(TN3270) ADD('your datasetname') TRUST - WITHLABEL('your label') PASSWORD('password')
RACDCERT ID(TN3270) ADDRING('your RACF keyring name')
RACDCERT ID(TN3270) CONNECT(CERTAUTH) - LABEL('your CA label') RING('your RACF keyring name') -USAGE(CERTAUTH))
RACDCERT ID(TN3270) CONNECT(ID(TN3270) - LABEL('your label') -RING('your RACF keyring name') DEFAULT USAGE(PERSONAL))
RACDCERT ID('RACF userid') -
GENCERT -
SUBJECTSDN(CN('Name of User') -
O('Name of Organization') -
C('US')) -
WITHLABEL('BlueZone Client for Username') -
SIGNWITH(CERTAUTH LABEL(''your CA label'))
RACDCERT EXPORT(LABEL('BlueZone Client for Name of User')) -
ID('RACF userid') -
DSN('your dataset name') -
PASSWORD('client password') -
FORMAT(PKCS12DER)
This dataset is then FTP'd to the user's machine and imported into their personal certificate store.
On the client computer, start Internet Explorer.
On the Tools menu, click Internet Options.
In the Internet Options dialog box, click the Content tab.
In the Certificates section, click Certificates.
In the Certificates dialog box, click Import.
In the Certificate Import Wizard, do the following:
On the Welcome to the Certificate Import Wizard page, click Next.
On the File to Import page, click Browse, and navigate to the location containing the saved certificates.
In the File type listbox, select "Personal Information Exchange (*.pfx, *.p12)". This will display all files with .pfx and .p12 extensions.
Select the certificate (.pfx or .p12) file that you saved previously, click Open, and then click Next.
On the Password page, type the password in the Password box, and then click Next.
On the Certificate Store page, click Place all certificates in the following store. In the Certificate store box, specify Personal, and then click Next.
On the Completing the Certificate Import Wizard page, click Finish.
In the message box that appears, click OK.
In the Certificates dialog box, click Close.
Click OK to close the Internet Options dialog box.
Launch an existing BlueZone Mainframe Display session that connects to the desired host.
From the BlueZone MenuBar, select Session::Configure.
Click the Configure button.
Click the Security tab. Choose the desired Security type from the drop down list.
Click the Certificate tab. The certificate can be either in a disk file or in the system certificate store. If the client certificate was generated on the Mainframe, transfer it to your machine via FTP or IND$FILE.
Select the certificate by filename (disk) or common name (certificate store). Fill in the rest of the required information required by your certificate selection.
Certificates generated by the Mainframe are usually in PKCS12 format, which does not require a private key file, since the certificate and private key reside together in one file. A PKCS12 file can be put into the certificate store using Internet Explorer. Refer to How to Import the Certificate above.
Click the OK button two times. Remember to save your changes.
You have the choice of starting the script when the session is either disconnected or connected, so it may or may not start with a Connect event.
From the BlueZone MenuBar, click Script::Record, and enter a name for the script and click the Save button.
NOTE
BlueZone
Express Logon is only supported with BlueZone Script files (.bzs).
Record the steps necessary to connect to your host (if not already) and logon to the desired application.
Select Script::Stop to end the script recording.
Select Script::Edit and select the script you just recorded. The BlueZone Script Editor will launch and your script will be displayed.
In the script, find the Script Event where you typed your UserID (Type "MYUSERID"), select it with your mouse pointer and double click to bring up the edit box.
Replace your UserID with ")USR.ID(" and click the OK button.
In the script, find the Script Event (Type "RpvPassword"), select it with your mouse pointer and double click to bring up the edit box.
Replace "RpvPassword" with ")PSS.WD(".
Directly before the Type ")USR.ID(" command, insert an Express Logon Script Event, and enter the host Application ID for the application you wish to use. You must get this Application ID from your system administrator who configured the host for Express Logon.
To do this, select the Script Event before (Type ")USR.ID(") with your mouse pointer. In the Script Events box, locate the Express_Logon event and double click. This will bring up the edit box where you can enter the Application ID.
Click the OK button. This will place the (Express_Logon "Application ID") Script Event immediately before the (Type ")USR.ID(") Script Event.
Save the script and exit the Script Editor.
Related Topics:
BlueZone Script Editor - Overview