Express Logon

Bypass Signon Using Password Substitute (5250)

This option enables the user to bypass iSeries® login screen by sending a SHA1 password substitute.

This option works only when the QPWDLVL system value at the iSeries is either 2 or 3. A change to this system value takes effect at the next IPL. To see the current and pending password level values, use the Display Security Attributes (DSPSECA) command. The QRMTSIGN system value, which specifies how the system handles remote sign-on requests, als needs to be set to *VERIFY.

The credentials are encrypted and saved in the current user's registry hive on the local computer. User will be prompted for a password in case the password stored in the registry is no longer valid. The newly entered password shall be stored in the registry and used for subsequent bypass logins.

Users can update the existing password in the registry or add a new password by using Update registry with bypass login credentials... menu item present in the Actions menu. This option can be used whenever an user changes the password on the host; for example, at the time of password expiry.

If bypass login is enabled, ZIEWin prompts the user for a password in case the password stored in the registry is incorrect. The newly entered password is to be stored in the registry and used for subsequent bypass logins.

Also, there is a new menu option added to Actions menu called Update registry with bypass login credentials..., which allows users to update the existing password in the registry or add a new password corresponding to a particular hostname or IP address.

In case the password stored in the registry is expired and bypass login is enabled and the user logs in, the password change screen displays so that the user can set a new password.

When the user change the password successfully (registry still contains the old or expired password) , log out, disconnect, and try bypass login again, the old or expired password is still taken from the registry and used for the bypass login. Due to the invalidity of the old password from the registry, the login fails for the first time and ZIEWin prompts the user for new password. When the user enter the new password that has been created before reglogin, the correct password is to be stored in the registry and ZIEWin reconnects using the new password.

Kerberos Services Ticket Auto-Signon

For 5250 emulator sessions, the Bypass signon using Kerberos principal option enables Kerberos authentication. A ticket is generated and passed to the iSeries, eServer™ i5, or System i5® host during TN5250 negotiation.

If the ticket is valid, authentication is completed and you will be logged onto the host. If authentication fails, a host login screen will be displayed.

Note: You must log into a Windows domain in order to use Kerberos authentication. Refer to the relevant Microsoft documentation for specific details.

For the Data Transfer utility, you can set the Use Kerberos principal, no prompting option (from Setup -> Signon Options). This function enables Kerberos authentication, using the ticket generated by the Windows user credentials.

Certificate Express Logon

Certificate Express Logon (formerly known as Express Logon Feature or ELF) enables a Z and I Emulator for Windows Telnet 3270 user to securely logon to a host application without sending the User ID and password. One advantage of using this function is that it reduces the time you spend maintaining host user IDs and passwords. It also reduces the number of user IDs and passwords that the users have to remember.

To use Certificate Express Logon, the host session must be configured for SSL and client authentication. This means the client must have a valid client certificate. The SSL connection must be made to one of the supported Telnet 3270 servers.

Using Certificate Express Logon

When starting a session using Certificate Express Logon, Z and I Emulator for Windows establishes an SSL client authentication session with the Telnet 3270 server. During the logon process, a macro with the Certificate Express Logon information is played. Once the session is established, Z and I Emulator for Windows sends the application ID for the application that the user is accessing to the Telnet 3270 server. This information is contained in the logon macro. The Telnet 3270 server uses certificate information from the SSL connection and the application ID received from Z and I Emulator for Windows, and requests the user ID and passticket (a temporary password) from the host access control program (such as RACF®).

Z and I Emulator for Windows uses the macro function to put predefined substitute strings in the user ID and password fields. The Telnet 3270 server substitutes the user ID and passticket in the appropriate place in the 3270 datastream. The logon is completed.

After a Certificate Express Logon macro is recorded, it can be distributed to multiple users for playback without further modification.

Preparing to Configure Certificate Express Logon

Before you configure an Certificate Express Logon macro, you need to have the following information.

Configuring Certificate Express Logon

Recording the Macro

You must record a macro for each host application that you want to access. You cannot log on to multiple applications with one macro. You do not have to configure SSL, and client authentication is not required on the telnet servers and OS/390 or z/OS before recording the logon macro, but you must do this before you can play the macro.

Manual Configuration of a Certificate Express Logon Macro

You can manually configure an existing Macro format file for Certificate Express Logon use. The procedure is as follows:

  1. From the Action Bar, open the macro file containing the recorded keystrokes by selecting Edit -> Preferences -> Macro/Script.
  2. Select the macro file you just recorded and then select Customize.
  3. Replace the UserID recorded in the macro with two tags: the Certificate Express Logon Application ID and the UserID placeholder. The Application ID tag consists of three words, each separated by a blank character: elf, applid, and the identifier of the host application that will be logged onto. The UserID placeholder is )USR.ID(.

    For example, replace "myUserID with ")USR.ID(.

  4. Replace the Password recorded in the macro with the Certificate Express Logon Password placeholder tag )PSS.WD(.

    For example, replace "myPassword with ")PSS.WD(.

Limitations of the Logon Macro

Problem Determination

If the client logon fails and displays the messages )USR.ID( NOT IN CP DIRECTORY, INVALID USERID, )USR.ID(, PASSWORD NOT AUTHORIZED or any similar messages, check the Telnet 3270 server log for details.

Possible reasons for failures are: