Web Express Logon Reference

About this book

Description of book

This book is written for administrators who are interested in understanding, planning for, implementing, and troubleshooting Web Express Logon. It provides step-by-step instructions for configuring Host On-Demand for Web Express Logon. For details about configuring other applications such as your network security application, refer to the Web Express Logon for Host On-Demand white paper, located at ftp://ftp.software.ibm.com/software/network/hostondemand/library/whitepapers/wel2.pdf.

This book contains the following parts:

• Overview of Web Express Logon
• Planning
• Implementing macro-based automation
• Implementing connection-based automation
• API programming guide
• Troubleshooting error messages
• Appendices
  • Recording the Web Express Logon macro
  • Web Express Logon using the Configuration server-based model
  • Password encryption tool
  • Glossary of terms
  • Sources for more information
  • Notices
  • Trademarks

Conventions used in this book

The following typographic conventions are used in Host On-Demand Web Express Logon Reference:

	This graphic is used to highlight notes to the reader.
	This graphic is used to highlight tips for the reader.
	This graphic refers to information that is specific to Certificate-based Web Express Logon.

Overview of Web Express Logon

Introduction

In the age of e-business on demand, finding ways to simplify the user experience while maintaining company security can be a real challenge. For example, many companies would like to decrease the number of IDs and passwords that their users have to manage, but they also realize that allowing users to access company resources without proper identification risks company security.

Several products exist in the marketplace that claim to solve the multiple logon issue and maintain security at the same time. However, these products generally apply to Web-based applications only and do not address logon processes for legacy hosts and host-based applications. In other words, in host-based applications that do not use HTML or XML, automating the logon process requires being able to intercept the telnet data stream. Because of its unique position to work with individual screens and the ability to substitute fields in the data stream, Host On-Demand is an ideal candidate to address multiple logon issues in companies where users access host systems via browser-based terminal emulation.

Web Express Logon works in conjunction with your company's network security application to maintain company security while allowing users to log on to host systems without having to re-enter their user IDs and passwords. It has several benefits, including the following:

• Ease of use: Users can log on to their network security application and access host applications without having to re-enter their IDs and passwords.
• Reduced password-related support calls: Users are less likely to call the company support line because of forgotten or misplaced passwords.
• Increased productivity: Users can log on only once in an environment that has multiple methodologies for defining user IDs, passwords, and authentications.

What is the difference between Web Express Logon, Certificate Express Logon and Reuse Active Credentials?

Host On-Demand offers three types of Express Logon:

• Web Express Logon
• Certificate Express Logon
• Reuse Active Credentials

Web Express Logon has been available since Host On-Demand Version 8, Certificate Express Logon, formerly known as Express Logon Feature (ELF), has been available since Host On-Demand Version 5. Although the name has changed, Certificate Express Logon functions the same as ELF did in earlier versions and requires the same configuration. Reuse Active Credentials is a feature available in Host On-Demand Version 10.0.

Reuse Active Credentials provides automated authentication on all emulation platforms. It is not as comprehensive as Web Express Logon but does not require any special network configuration. If a new connection is made to a host and a user has already authenticated to that host somehow, those credentials are applied to the new connection. The credentials are maintained for as long as Host On-Demand is running in the JVM. The credentials are only stored in Java memory and once the JVM closes they will have to be re-entered when Host On-Demand is restarted.

Although all three types of Express Logon allow users to log on to a host system without having to enter a user ID and password, they have different requirements for session type, client certificates, and SSL configuration. Certificate Express Logon works exclusively with 3270 session types and requires client-side certificates and an SSL connection to a TN3270 server. Web Express Logon and Reuse Active Credentials offer a wide variety of styles that function with all Host On-Demand session types (not just 3270 emulation). Certificate Express Logon requires a macro to log on to the host application and then distribute that macro to the clients. Web Express Logon and Reuse Active Credentials may or may not require a macro, depending on your environment.

Using client certificates with Web Express Logon

DCAS and z/OS environments that use client certificates for user authentication are no longer limited to Certificate Express Logon. Starting with Host On-Demand V9, Web Express Logon offers a type of logon automation that uses client-side certificates known as Certificate-based Web Express Logon. Although both Certificate Express Logon and Certificate-based Web Express Logon work exclusively with 3270 host sessions and require a DCAS server, the client certificates in the two models are used differently and the automation process requires different components. With Certificate Express Logon, client certificates are used to authenticate users to an Express Logon-enabled TN3270 server, and the Host On-Demand client and a TN3270 server are configured to automate the login process. With Certificate-based Web Express Logon, however, client certificates are used to authenticate users to a secure Web server, and a Host Credential Mapper plug-in and a macro are used to automate the login process.

Certificate-based Web Express Logon is a more flexible solution than Certificate Express Logon because it provides more implementation options. For more information about Certificate-based Web Express Logon, refer to Configuring macro-based automation in a z/OS and DCAS environment.

Can I migrate from Certificate Express Logon to Certificate-based Web Express Logon?

Host On-Demand V9 offers a new DCASELF plug-in that allows users of Certificate Express Logon to migrate to the more scalable certificate-based Web Express Logon architecture. This plug-in allows you to move SSL client authentication from the TN3270 server to a secure Web server. For specific details about how to migrate from Certificate Express Logon to certificate-based Web Express Logon, refer to the Web Express Logon white paper, located at

ftp://ftp.software.ibm.com/software/network/
hostondemand/library/whitepapers/wel2.pdf

.

How does Web Express Logon work?

The overall goal of Web Express Logon is to provide an automated way for users to log on to hosts and host-based applications without having to provide an additional ID and password. In order to accommodate the wide range of supported computing environments, Web Express Logon offers two styles of logon automation:

• macro-based automation
• connection-based automation

The style of logon automation that best suits your needs depends on your environment, including your host type, session type, and your current method for authenticating users. If the host does not allow the client to supply the needed credentials at the time the connection is established, for example, if the client must authenticate to the host after the host connection is established, macro-based automation is the appropriate style. In this model, the host must send a login screen to authenticate the client. The macro automates the login screen, populates the screen's credential fields with the appropriate user information, and then transmits this information to the host for authentication. However, if your host allows the client to supply the needed host credentials at the time the host connection is established, for example, using Kerberos authentication or FTP login, connection-based automation is the appropriate style.

The following sections provide more details about macro- and connection-based automation, including high-level overviews of some example environments supported by Web Express Logon. These examples are discussed in more detail throughout the remainder of this document.

Macro-based automation

As the name implies, macro-based automation requires a macro to automate the login process. The macro is responsible for obtaining the user's host credentials and passing that information to the host for authentication. The host credentials are based on one of the following user identity types:

• local system ID: the user's local operating system ID. Web Express Logon currently supports Microsoft Active Directory (Windows Domain). Host On-Demand will use native code to obtain a user's local Windows domain ID when User Identity Type is set to "Local System ID" in the Express Logon session properties panel. To use this option, the "WindowsDomain" HTML parameter must be set to contain the name of the Windows Domain(s) to which the end users belong. Multiple domains must be separated by commas.
• network ID: the user's network security application ID or client certificate. Web Express Logon currently supports IBM Tivoli Access Manager and Netegrity Siteminder.
• Portal ID: the user's Portal Server ID. Web Express Logon currently supports Portal Server, a component of IBM WebSphere Portal.

User identity type is a configurable option in session properties.

If you plan for Host On-Demand to acquire the user's credentials from a different application than the ones supported by Web Express Logon, you will need to create your own plug-in. For more information, refer to Customizing Web Express Logon.

Macro-based automation relies on the following four key components and the interactions that take place among them. Not all environments that use macro-based automation use all four components:

• login macro
• Credential Mapper Servlet (CMS)
• Network Security plug-in
• Host Credential Mapper (HCM) database

The login macro automates the end-to-end process of the client sending the HTTPS request to the CMS, the CMS responding with the needed credentials, and the macro inserting the user's credentials in the proper fields to allow authenticated logon. You must record the login macro while you are in an active session. It initiates at the time the user attempts to access the host session, either automatically or manually (depending on your configuration).

The CMS is supplied with Host On-Demand and must be deployed to a J2EE-compliant HTTP server. At a high level, the CMS is responsible for determining the client's identity and returning the host credentials to the client as an XML document.

The CMS is not required if using the Portal Credential Vault as your HCM database. This is because the Host On-Demand portlet is designed to allow the Web Express Logon macro to acquire the user's credentials directly from Portal Server.

Host On-Demand provides two Network Security plug-ins, one for each of the two supported network security applications -- IBM Tivoli Access Manager and Netegrity Siteminder. The primary function of the Network Security plug-in is to acquire the user's network ID, which may be gleaned from the HTTP header of the incoming HTTP request object.

The Network Security plug-in does not apply to Microsoft Active Directory (Windows Domain), Portal Server, or Certificate-based Web Express Logon. For Microsoft Active Directory, the Windows login ID is used to identify the user. For Portal Server, the Portal ID is used to identify the user. For Certificate-based Web Express Logon, the client certificate is used to identify the user.

The HCM database is a back-end repository that maps users' network IDs to their host credentials. This repository can be one of the following:

• a JDBC database such as one created with IBM WebSphere DB2
• Portal Server Credential Vault

The Digital Certificate Access Server (DCAS) and Vault plug-ins provided with Web Express Logon and Host On-Demand portlets are designed to work with these repositories. Another possibility for a repository is an LDAP directory. However, using LDAP as your HCM database requires you to write your own plug-in. For more information, refer to Customizing Web Express Logon.

The following examples show you how the key components discussed above interact together, beginning at the point the user attempts to open a Host On-Demand session and initiate the login macro. If the macro is not configured to auto-start, the user will need to start it manually.

Supported environments

The following three Web Express Logon-supported environments use macro-based automation:

• z/OS and DCAS host authentication
• z/OS with vault-style credential mapping
• Authentication via Portal Server's Credential Vault Service

z/OS and DCAS host authentication

In a z/OS and DCAS environment, Web Express Logon supports two different models--one in which users are identified via client certificates (called Certificate-based Web Express Logon) and one in which users are identified via a network security application. Since both of these models have their own requirements for user identification, the Web Express Logon configuration steps are different for each model. In a certificate-based environment, you must configure your HTTP server as well as the browser and Java 2 keystore on each Host On-Demand client. In a non-certificate-based environment, you must configure your network security application and create your HCM database. Both models require you to configure the Digital Certificate Access Server (DCAS).

Figure 1 and Figure 2 along with the accompanying steps illustrate how Certificate-based and non-Certificate-based Web Express Logon work in a z/OS and DCAS environment:

Figure 1. Certificate-based Web Express Logon in a z/OS and DCAS environment

1. The user clicks a link to launch the Host On-Demand desktop, which sends an HTTP request to the Web server.
2. The server requests a client certificate to perform client authentication. The client certificate must be stored in the browser's keyring.
3. The user sends the client certificate to the server.
4. The Web server returns the HTTPS request, and the Host On-Demand desktop displays.
5. The user launches a host session.
6. The login macro executes.
7. The macro sends an HTTPS request to the CMS to obtain the host credentials.
8. The CMS passes the application ID to the DCASELF HCM plug-in.
9. The DCASELF HCM retrieves the user's certificate from the Web application server.
10. The host (RACF) identifies the client, checks the client's authorization, and returns the passticket to the DCASELF HCM plug-in.
11. The DCASELF HCM plug-in returns the host ID and passticket to the CMS.
12. The CMS returns the host credentials to the client as an XML document.

Figure 2. Non-certificate-based Web Express Logon in a z/OS and DCAS environment

1. The user clicks a link to launch the Host On-Demand desktop, which sends an HTTPS request through the network security application to the HTTP server.
2. The Web server returns the HTTPS request, and the Host On-Demand desktop displays.
3. The user launches a host session.
4. The login macro executes.
5. The macro sends an HTTPS request to the CMS to obtain the host credentials.
6. The CMS retrieves the user's network ID from the Network Security plug-in.
7. The CMS passes the network ID and application ID to the DCAS HCM plug-in.
8. Using the network ID and application ID, the DCAS HCM plug-in calls upon a database, such as IBM DB2, to map the user's host ID.
9. The DCAS HCM plug-in passes the user's host ID and application ID to Digital Certificate Access Server (DCAS) and requests a passticket.
10. The host (RACF) identifies the client, checks the client's authorization, and returns the passticket to the DCAS HCM plug-in.
11. The DCAS HCM plug-in returns the host ID and passticket to the CMS.
12. The CMS returns the host credentials to the client as an XML document.

The login macro automatically inserts the user's credentials in the logon screen fields without user intervention. Now the user is fully authenticated and can proceed with the session.

For more information, refer to Configuring macro-based automation in a z/OS and DCAS environment.

z/OS with vault-style credential mapping

In this model, users are authenticated in a vault-style environment. Figure 3 illustrates this environment:

Figure 3. Web Express Logon in a vault-style environment

1. The user clicks a link to launch the Host On-Demand desktop, which sends an HTTPS request through the network security application to the Web server.
2. The Web server returns the HTTPS request and the Host On-Demand desktop displays.
3. The user launches a host session.
4. The login macro executes.
5. The macro sends an HTTPS request to the CMS to obtain the host credentials.
6. The CMS retrieves the user's network ID from the Network Security plug-in.
7. The CMS passes the network ID and application ID to the Vault HCM plug-in.
8. Using the network ID and application ID, the Vault HCM plug-in calls upon a database, such as IBM DB2, to map the user's host ID and password.
9. The Vault HCM plug-in passes the user's host ID and password to the CMS.
10. The CMS returns the host credentials to the client as an XML document.

Authentication via Portal Server's Credential Vault Service

In this model, users are authenticated via Portal Server, a component of IBM WebSphere Portal. Figure 4 illustrates this environment:

Figure 4. Web Express Logon in a Portal Server environment

1. The user logs on to IBM WebSphere Portal and chooses a portal page that includes the Host On-Demand portlet.
2. The Host On-Demand portlet initiates the Credential Vault Service.
3. The Credential Vault Service retrieves all the credentials that are accessible to the Portal user.
4. The Host On-Demand portlet sends the credentials to the client workstation and displays the Host On-Demand applet.
5. The user launches a host session.
6. The login macro executes.
7. The login macro retrieves the credentials from the data received from the Host On-Demand portlet and performs the logon operation.

Macro-based automation has been successfully tested with the following applications:

• IBM Tivoli Access Manager for e-business Versions 4.1 and 5.1
• Microsoft Active Directory
• Netegrity Siteminder Version 5.5
• IBM WebSphere Portal Server Version 5.02
• WebSphere Application Server Version 5.02, Version 5.02 Enterprise, and 5.0.2.5
• IBM DB2 Universal Database Version 7
• z/OS V1R4 with APAR PQ74457

The macro-based automation version of Web Express Logon can function with other applications that are not listed here.

Connection-based automation

Unlike macro-based automation, connection-based automation does not require a macro because the client and the host are able to connect without having to provide the user with a login screen.

Supported environments

The following two Web Express Logon-supported environments use connection-based automation:

• IBM i5/OS or OS/400 host with Kerberos passticket authentication
• FTP login

IBM i5/OS or OS/400 host with Kerberos passticket authentication

Currently, Web Express Logon supports i5/OS and OS/400 (V5R2 and later) telnet-negotiated environments that have Kerberos authentication enabled. It does not require the CMS, a login macro, a Network Security plug-in, nor the HCM database. Instead, it extends the existing single sign-on capability of the i5/OS and OS/400 operating systems.

In order for connection-based automation to function in this environment, you must have the following prerequisites in place:

• Windows Domain Controller (Microsoft Active Directory)
• key distribution center (KDC)
• Kerberos network authentication enabled on each target i5/OS or OS/400 system
• i5/OS or OS/400 V5R2 (5722-SS1) or later as the host operating system
• one or more of the following client operating systems:
  • Windows 2000 Professional and Server
  • Windows XP Professional
  • Windows Server 2003

You must configure your i5/OS or OS/400 environment to use single sign-on capability in order to implement connection-based logon automation. The i5/OS or OS/400 environment provides single sign-on capability through a combination of network authentication service and an IBM technology called Enterprise Identity Mapping (EIM). Host On-Demand uses this existing methodology for acquiring credentials to allow users to bypass the 5250 session login screen. Both network authentication service and EIM technology are available with the i5/OS and OS/400 (V5R2 and later) operating systems.

Figure 5 illustrates the overall process of connection-based automation in an i5/OS or OS/400 environment with Kerberos authentication enabled:

Figure 5. Web Express Logon in an i5/OS or OS/400 and Kerberos environment

1. A user logs on to the Windows domain. The Windows domain gives users access to the network.
2. The user requests a Host On-Demand session from the Host On-Demand server.
3. The Host On-Demand session initializes and requests a Kerberos ticket from the KDC.
4. The user attempts to create a connection with the identified session using the Kerberos ticket as the credential.
5. The i5/OS or OS/400 host validates the ticket with the KDC.
6. The user is successfully logged in

FTP login

Web Express Logon provides an automated way for users to log on to FTP hosts by providing a central repository for storing and retrieving user's credentials. Although this process is similar to configuring Web Express Logon in a vault-style environment , this type of automation is different because the user's credentials are retrieved from the CMS at the time the connection is established. In other words, it does not require a macro. Currently, Host On-Demand allows you to store a user's ID and password statically in the FTP configuration; however, Web Express Logon extends this approach by automating the user credential retrieval process.

Figure 6 illustrates the overall process of connection-based automation in an FTP login environment:

Figure 6. Web Express Logon in an FTP login environment

1. The user clicks a link to launch the Host On-Demand desktop, which sends an HTTPS request through the network security application to the Web server.
2. The Web server returns the HTTPS request, and the Host On-Demand desktop displays.
3. The user attempts to launch an FTP session.
4. The FTP session sends an HTTPS request to the CMS to obtain the FTP credentials.
5. The CMS retrieves the user's network ID from the Network Security plug-in.
6. The CMS passes the network ID to the Vault HCM plug-in.
7. Using the network ID, the Vault HCM plug-in calls upon a database, such as IBM DB2, to map the user's host ID and request the user's password.
8. The Vault HCM plug-in returns the FTP user ID and password to the CMS.
9. The CMS returns the FTP credentials to the client as an XML document.
10. The FTP login completes and displays the FTP server's file listings.

Planning

Planning for implementation

Having a clear understanding of your environment and how you plan to implement Web Express Logon in your environment will save you valuable time in the implementation phase. Be sure that you take time to develop your strategy and gather the necessary resources and skills. A firm plan is key to a successful implementation.

We recommend that you begin planning by taking the following steps:

Step 1: Choose your style of logon automation.

As described in the introduction, Host On-Demand offers two styles of logon automation:

• macro-based automation
• connection-based automation

The style of logon automation that best suits your environment depends on your host and session type. If your host allows the client to supply the needed host credentials at the time the connection is established (for example, during the telnet negotiation via a Kerberos passticket), connection-based automation is the appropriate style to use. However, if the client does not receive the needed credentials at time the connection is established, the host must send a login screen to authenticate the client. Since automating this login screen requires a macro, macro-based automation is the appropriate style. The macro populates the screen's credential fields with the appropriate user information and then transmits this information to the host for authentication.

Step 2: Identify areas of credential challenges.

Credential challenges are the times at which users are prompted to provide IDs and passwords. The first step is to evaluate your existing network infrastructure and identify which credential challenges exist for your users. Approach this step by simulating a typical day and identifying all the points at which users are prompted to provide credentials. For example, in a corporate environment, users may have to provide credentials when attempting to access any of the following resources:

• operating system
• corporate home page
• Web-based applications
• host-based applications

Step 3: Take an inventory of your environment.

At this point, you should know which style of logon automation is appropriate for your environment and what components are necessary to implement Web Express Logon. Before you can successfully plan your deployment strategy and estimate the scope of implementation, take a moment to take an inventory of your environment and answer the following questions according to your style of logon automation:

Macro-based automation

• What is your host type?
• What application do users go through to access the network? Tivoli Access Manager? Netegrity Siteminder? Microsoft Active Directory (Windows Domain)? Portal Server?
• Are you planning to customize your own Network Security plug-in? If so, do you have someone on hand who has some J2EE knowledge and experience working with J2EE-compliant servlets?
• What Web application server are you using? IBM WebSphere Application Server? BEA WebLogic? Apache Tomcat?
• For non-Portal environments, do you have a J2EE-compliant Web application server to deploy the Credential Mapper Servlet (CMS) to your Web server?
• What will you use as your Host Credential Mapper (HCM) database? IBM DB2? Portal Server Credential Vault? LDAP?
• Do you plan to use DCAS on a z/OS platform?
• Are you using client certificates for security?

Connection-based automation

• What level of i5/OS or OS/400 are you running on your IBM eServer i5, iSeries, or AS/400 host or hosts? You must be running i5/OS V5R3 or OS/400 V5R2 or later in order to use Web Express Logon.
• Are your Host On-Demand clients authenticated using Windows Domain?
• What are you using as your Key Distribution Center (KDC)?
• Are your clients running one or more of the following operating systems?
  • Windows 2000 Professional, Server, or Advanced Server
  • Windows XP Professional
  • Windows 2003 Server
  If not, you will need to upgrade, since other versions of Windows do not support Kerberos authentication.

Step 4: Develop your deployment strategy.

Now that you have evaluated your need for a Web Express Logon solution, chosen the style of logon automation that best works in your environment, and taken an inventory of your company's environment and resources, you can begin developing your deployment strategy. Consider issues such as how many/which users will be affected by this implementation, which skills are required for a successful implementation, and how many people you will need to participate in the setup process.

Step 5: Establish an HCM database.

This step does not apply to Certificate-based Web Express Logon or i5/OS or OS/400 environments that support Kerberos authentication. An HCM database is required for all other environments discussed in this document.

This document does not provide details about how to establish an HCM database. For these details, refer to the Web Express Logon white paper, located at ftp://ftp.software.ibm.com/software/ network/hostondemand/library/whitepapers/wel2.pdf .

An HCM is a back-end repository that associates users' network IDs to their host IDs. The CMS queries this repository during the logon process. Web Express Logon supports the following two types of HCM databases:

• a JDBC database such as one created using IBM DB2
• the Portal Server Credential Vault

Another possibility for a repository is an LDAP directory. However, using LDAP as your HCM database requires you to write your own plug-in. For more information, refer to Customizing Web Express Logon.

Implementing macro-based automation

The way in which you implement macro-based automation depends on your environment. In this section, we focus on the following three environments:

• z/OS and DCAS (with or without client certificates)
• vault-style
• Portal Server

This document does not provide details for configuring other applications to work with Host On-Demand Web Express Logon. For more information regarding configuring other applications, refer to the Web Express Logon for Host On-Demand white paper, located at ftp://ftp.software.ibm.com/software/ network/hostondemand/library/whitepapers/wel2.pdf .

Configuring macro-based automation in a z/OS and DCAS environment

The DCAS is a TCP/IP server application that runs on OS/390 V2R10 and later (z/OS included). It interfaces with a Security Access Facility (SAF)-compliant server product to assist with express logon services such as Certificate-based Web Express Logon. In this example, this SAF-compliant server product is IBM Resource Access Control Facility (RACF).

Web Express Logon supports two different models for z/OS and DCAS environments--one in which users are identified via a network security application and one in which users are identified via client certificates (called Certificate-based Web Express Logon). The configuration steps defined in this chapter cover both models with certain information that is specific to Certificate-based Web highlighted with the following icon:

Refers to information that is specific to Certificate-based Web Express Logon.

The following steps show you how to edit and deploy the CMS provided with Host On-Demand, create an SSL key database so that Host On-Demand can communicate with the DCAS, and use the Deployment Wizard to create your HTML file, configure your 3270 host session, and record your login macro. In a certificate-based environment, you must also configure your HTTP server as well as the browser and Java 2 keystore on each Host On-Demand client. In a non-certificate-based environment, you must configure your network security application and create your HCM database. Both models require you to configure the Digital Certificate Access Server (DCAS).

For more information about configuring Host On-Demand clients for HTTPS and client authentication, refer to the Planning, Installing, and Configuring Host On-Demand guide located in the Host On-Demand Information Center at Start > Programs > IBM WebSphere Host On-Demand > Information Center or on the Web at http://publib.boulder.ibm.com/infocenter/hod9help.

Steps 5-8 are designed for administrators who are planning to use the Deployment Wizard to create the HTML file, configure the host session to use Web Express Logon, and record the Web Express Logon macro all in one sitting. However, you may decide to create your HTML file first and then configure your session and create your macro later.

Step 1: Configure the Credential Mapper Servlet (CMS).

We recommend using a J2EE-compliant Web application server such as IBM WebSphere Application Server to configure and deploy the Credential Mapper Servlet (CMS). The CMS is supplied with Host On-Demand and must be deployed to a J2EE-compliant Web application server. At a high level, the CMS is responsible for determining the client's identity and returning the host credentials to the client as an XML document.

A. Locate the WAR files on the Host On-Demand Version 9 CD

The three WAR files are located in the cdimage\apps\wel subdirectory. Choose the one that matches your network security application:

• IBM Tivoli Access Manager: amcms.war
• Netegrity Siteminder: smcms.war
• Microsoft Active Directory (Windows Domain): wincms.war

If you have a different network security application, you will need to customize your own version of the CMS. For more information about how to do this, refer to Customizing Web Express Logon.

In addition to several other files, the WAR file contains the following files:

• web.xml: the servlet configuration file that you will edit in a later step
• DCAS.xml: for non-Certificate-based Web Express Logon, a sample file to help you better understand DCAS parameters and their values
• DCASELF.xml: for Certificate-based Web Express Logon, a sample file to help you better understand DCAS parameters and their values
• was.policy: for IBM WebSphere Application Server users only, this file contains the required permissions for the CMS when Java 2 security is enabled (refer to Troubleshooting Web Express Logon for more information)

B. Become familiar with the INIT parameters in the web.xml file.

In this step, you will become familiar with the three default INIT parameters in the web.xml file.

• Host Credential Mapper (HCM) plug-in: The name of the parameter is CMPICredentialMappers, and the parameter value is a compound value that contains the list of all available HCM plug-ins, for example, CMPIDCASPlugin CMPIVaultPlugin, and CMPIDCASELFPlugin. Currently, the value is echo, but you will eventually replace this with the name of your HCM plug-in.

  Code example:

  <init-param>
     <param-name>CMPICredentialMappers</param-name>          
     <param-value>echo</param-value>  
  </init-param>
  

• Network Security plug-in: The name of the parameter is CMPINetworkSecurity, and the parameter value is the full path name of the class that handles the CMS interface into the network security application. This example is taken from the amcms.war file, which is for Tivoli Access Manager:

  Code example:

  <init-param>
       <param-name>CMPINetworkSecurity</param-name>
       <param-value>com.ibm.eNetwork.security.sso.cms.CMNPIAccessManager
  			</param-value>      
  </init-param>
  

  The Network Security plug-in does not apply to Microsoft Active Directory (Windows Domain), Portal Server, or Certificate-based Web Express Logon. For Microsoft Active Directory, the Windows login ID is used to identify the user. For Portal Server, the Portal ID is used to identify the user. For Certificate-based Web Express Logon, the client certificate is used to identify the user.

• echo plug-in: The name of this INIT parameter (echo) is the same as the value for the HCM plug-in. In a future step, you will replace echo with the name of your HCM plug-in.

  Host On-Demand provides this optional echo plug-in in case you want to confirm that you are able to deploy the CMS correctly before you begin editing the web.xml file. For example, after you deploy your CMS to a Web server, you can test it by entering the following syntax in a workstation's browser address bar: https://web_application_server_name/context_root/CredMapper, where web_application_server_name is the name of the Web application server, context_root is the name of the context root that you specify when deploying the CMS, and CredMapper is the name of the CMS itself.

  Some Web application server products allow you to deploy the servlet first and then edit the XML file. Other products, such as WebSphere Application Server V5, work best when you deploy the servlet after you edit the XML code. Refer to your product's documentation for details.

  Code example:

  <init-param>
     <param-name>echo</param-name>
     <param-value>com.ibm.eNetwork.security.sso.cms.CMPINetEcho,AuthType_All,*
  		</param-value>
  </init-param>
  

C. Edit the CMS-related parameters.

In this step, you will edit two of the three INIT parameters in the web.xml file. INIT parameters adapt the servlet to your environment. You will not edit the CMPINetworkSecurity parameter name or value.

1. Locate the CMPICredentialMappers parameter and change the name of its current value (echo) to the name of the DCAS HCM plug-in--CMPIDCASPlugin:

   <init-param>
     <param-name>CMPICredentialMappers</param-name> 
     <param-value>CMPIDCASPlugin</param-value> 
   </init-param>

2. Locate the echo parameter and change the name of its current value (echo) to the name of the parameter value that you specified for the HCM plug-in--CMPIDCASPlugin.

   Now, replace the parameter value with a compound value that contains the full class path name of the implementing class, the authentication type to be used by the DCAS HCM plug-in, and the host mask. Separate these values with commas. In this example, com.ibm.eNetwork.security.sso.cms.CMPIDCAS is the full class path name, AuthType_3270Host is the authentication type, and * is the host mask.

   Full class path name

   The CMS uses the value of the full class path name to create a class object of the specified type. That object is then used to handle CMS or HCM plug-in requests. The specified class file must be in the ...\WEB-INF\classes subdirectory in a loose file (not as a JAR file). From this location, the CMS will be able to access and use it whenever the need arises.

   Authentication type

   This value is used to identify the type of authentication that the requestor needs. Once you specify the desired authentication type, the CMS can better identify which credential mapper to select to handle the request. You can pair multiple authentication types together to give HCM plug-ins the freedom to support multiple authentication types. Use the vertical bar character to join multiple authentication types.

   The five identified authentication types are listed in the Table 2:

   Authentication used in Secure Shell (SSH) on VT emulation or sftp sessions are not supported by the HCM plug-in.

   Table 2. Authentication types and descriptions

   Authentication type	Description
   AuthType_3270Host	Identifies the credentials to be used with a 3270 emulation
   AuthType_5250Host	Identifies the credentials to be used with 5250 emulation
   AuthType_VTHost	Identifies the credentials to be used with VT emulation
   AuthType_FTPPassword	Credentials used to access an FTP host
   AuthType_ConfigServer	Credentials identified by the token used to identify the user to the Host On-Demand configuration server (if you are using the Configuration server-based model
   AuthType_All	Identifies the credentials to be used for all authentication types

   Host mask

   The host mask is a secondary selection criteria used by the CMS to identify the most appropriate credential mapper. This value can contain one or more host addresses. Use the vertical bar character to join multiple addresses. Use the asterisks character to wildcard a host address. The wildcard character may start, end, or start and end a host address.

   Table 3 lists valid wild-carded addresses:

   Table 3. Host masks and values matched

   Host mask	Value matched
   *.raleigh.ibm.com	Matches all addresses that end with .raleigh.ibm.com
   ralvm*	Matches all addresses that start with ralvm
   *	Matches all
   *xyz*	Matches any host address that contains xyz

   Code example:

   <init-param>
     <param-name>CMPIDCASPlugin</param-name> 
     <param-value>com.ibm.eNetwork.security.sso.cms.CMPIDCAS, 
   		AuthType_3270Host, *</param-value> 
     </init-param>

D. Add optional CMS-related debugging parameters.

Add the following two optional debugging parameters to help you troubleshoot:

CMPI_TRACE_LOG_FILE

This parameter specifies the name of the log file. The value should be the full path to the log file, for example C:\Program Files\IBM\HostOnDemand\HODWEL.log on a Windows platform.

Code example:

<init-param> 
   <param-name>CMPI_TRACE_LOG_FILE</param-name> 
   <param-value>C:\Program Files\IBM\HostOnDemand\HOD\HODWEL.log
		</param-value> 
</init-param>

CMPI_CMS_TRACE_LEVEL

This parameter specifies the trace level for the CMS. The trace messages are logged to the log file specified by CMPI_TRACE_LOG_FILE parameter. Depending on your Web application server, they may or may not be logged to the console. Trace level values include the following:

• 0 = None: No tracing. This is the default.
• 1 = Minimum: Trace APIs and parameters, return values, and errors.
• 2 = Normal: Trace Minimum plus internal APIs and parameters and informational messages.
• 3 = Maximum: Trace Normal plus Java exceptions.

Code example:

<init-param> 
   <param-name>CMPI_CMS_TRACE_LEVEL</param-name> 
   <param-value>3</param-value> 
</init-param>

E. Add the required DCAS client parameters for the CMPIDCASPlugin.

Add the required DCAS client parameters to allow the HCM database to map the user ID to the host ID and get a passticket from the DCAS application running on the host. A passticket is a credential that is similar to a password, however a passticket expires after a certain amount of time and is used only one time. DCAS requires a Security Access Facility (SAF)-compliant server product, such as an IBM Resource Access Control Facility (RACF) security server, that supports passticket generation.

Starting with Host On-Demand V9.03, the CMPI_DCAS_KEYRING_FILE and CMPI_DCAS_KEYRING_PASSWORD are deprecated and should not be used. Instead, CMPI_DCAS_TRUSTSTORE, CMPI_DCAS_TRUSTSTORE_PASSWORD, and CMPI_DCAS_TRUSTSTORE_TYPE should be used. However, CMPI_DCAS_KEYRING_FILE and CMPI_DCAS_KEYRING_PASSWORD will continue to work in lieu of CMPI_DCAS_TRUSTSTORE and CMPI_DCAS_TRUSTSTORE_PASSWORD, and the type pkcs12 will be assumed when these deprecated parameters are used.

To use the DCAS HCM plug-in, you must configure the DCAS. For information about configuring the DCAS, refer to documentation for z/OS V1R4.0 Communications Server at http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/Shelves/F1A1BK33, specifically the z/OS V1R4.0 Communications Server IP Configuration Reference (publication number SC31-8776-03) and the z/OS V1R4.0 Communications Server IP Configuration Guide (publication number SC31-8775-02). Also refer to the z/OS V1R4 APAR PQ74457 for information about how to configure the DCAS to function with Web Express Logon.

For non-Certificate-based Web Express Logon, use DCAS.xml located in the WAR file as a reference for adding parameters when editing the web.xml file. For Certificate-based Web Express Logon, use DCASELF.xml as a reference.

1. Add the following HCM database parameters to allow the client to connect to the DCAS securely:

   CMPI_DCAS_KEYRING_FILE

   This parameter references an SSL keyring database file that provides access to the DCAS client certificate as well as the DCAS server's certificate. The certificates establish a client-authenticated, secure connection with the DCAS server. The DCAS plug-in serves as the DCAS client. You will create a keyring database file called HODDCAS.p12 in Step 3: Create the SSL key database..

   Code example:

   <init-param> 
       <param-name>CMPI_DCAS_KEYRING_FILE</param-name> 
       <param-value>C:\Program Files\IBM\HostOnDemand\HOD\HODDCAS.p12
   		</param-value>
   </init-param>

   CMPI_DCAS_KEYRING_PASSWORD

   This parameter specifies the password for the keyring database.

   This parameter should be encrypted using the password encryption tool. It is decrypted by the HCM before using it. For more information about the password encryption tool, refer to Appendix C. Password encryption tool.

   Code example:

   <init-param>
   	  <param-name>CMPI_DCAS_KEYRING_PASSWORD</param-name>
   	  <param-value>45ie8WciVu</param-value> 
   </init-param>

   CMPI_DCAS_TRUSTSTORE

   This parameter is required unless CMPI_DCAS_USE_DEFAULT_TRUSTSTORE or CMPI_DCAS_USE_WELLKNOWN_KEYS is true. This parameter contains the name of the truststore to be used by JSSE to lookup the DCAS certificates.

   CMPI_DCAS_TRUSTSTORE_TYPE

   This parameter is required unless CMPI_DCAS_USE_DEFAULT_TRUSTSTORE or CMPI_DCAS_USE_WELLKNOWN_KEYS is true. This parameter contains the type of the truststore specified by CMPI_DCAS_TRUSTSTORE. Valid values are pkcs12, jceks, and jks.

   CMPI_DCAS_TRUSTSTORE_PASSWORD

   This parameter is required unless CMPI_DCAS_USE_DEFAULT_TRUSTSTORE or CMPI_DCAS_USE_WELLKNOWN_KEYS is true. This parameter contains the password of the truststore specified by CMPI_DCAS_TRUSTSTORE.

2. The following parameters contain all the relevant information needed to connect to your HCM database, which in this example is a JDBC database table. You can either configure access to an existing database or point to a newly created database. The level of security for the database varies according to database vendor. Refer to the database application's documentation for details.

   The following parameters are not used for Certificate-based Web Express Logon: CMPI_DCAS_DB_ADDRESS CMPI_DCAS_DB_NET_DRIVER CMPI_DCAS_DB_USERID CMPI_DCAS_DB_TABLE CMPI_DCAS_DB_PASSWORD

   CMPI_DCAS_DB_ADDRESS

   This is a URL string that provides the address of the database. An example of this string is jdbc:db2://dtagw:6789/HODSSO.

   Code example:

   <init-param> 
      <param-name>CMPI_DCAS_DB_ADDRESS</param-name>
   	 <param-value>jdbc:db2://dtagw.raleigh.ibm.com:6789/HODSSO
   		</param-value> 
   </init-param>

   CMPI_DCAS_DB_NET_DRIVER

   This string contains the name of the class that acts as the network database driver. An example of this string is COM.ibm.db2.jdbc.net.DB2Driver. The location of this class is assumed to be in the existing class path.

   Code example:

   <init-param> 
      <param-name>CMPI_DCAS_DB_NET_DRIVER</param-name> 
      <param-value>COM.ibm.db2.jdbc.net.DB2Driver</param-value> 
   </init-param>

   CMPI_DCAS_DB_USERID

   This is the ID of the user account to use when accessing the database.

   Code example:

   <init-param> 
      <param-name>CMPI_DCAS_DB_USERID</param-name> 
      <param-value>admin</param-value> 
   </init-param>

   CMPI_DCAS_DB_PASSWORD

   This is the password of the user account to use when accessing the database.

   This parameter should be encrypted using the encrypt password tool. It is decrypted by the HCM plug-in before using it. For more information about the password encryption tool, refer to Appendix C. Password encryption tool.

   Code example:

   <init-param> 
      <param-name>CMPI_DCAS_DB_PASSWORD</param-name> 
      <param-value>tuBu9v8lHiJi1jt08UgHzA==</param-value> 
   </init-param> 

   CMPI_DCAS_DB_TABLE

   This entry identifies the table to use for the needed query.

   Code example:

   <init-param> 
      <param-name>CMPI_DCAS_DB_TABLE</param-name> 
      <param-value>HACP</param-value> 
   </init-param>

3. The following parameters should correspond directly to the column headings in your HCM database and should clearly indicate the contents of the columns. With some databases, such as IBM DB2, the column headings must be in all upper-case letters, for example, NETWORKID, HOSTADDRESS, APPLICATIONID, and HOSTID.

   Based on the information provided by the first three of these parameters (network ID, host address, and the host application ID), you can make a SQL query of the database to get the host ID. The result of the query is entered in the host ID (HOSTID) column. Assuming that the query is successful, a call is made to the DCAS to request the passticket.

   The following parameters are not used for Certificate-based Web Express Logon: CMPI_DCAS_DB_NETID_COL_NAME CMPI_DCAS_DB_HOSTADDR_COL_NAME CMPI_DCAS_DB_HOSTAPP_COL_NAME CMPI_DCAS_DB_HOSTID_COL_NAME

   CMPI_DCAS_DB_NETID_COL_NAME

   This entry identifies the name of the column that contains the network ID value (NETWORKID).

   Code example:

   <init-param> 
      <param-name>CMPI_DCAS_DB_NETID_COL_NAME</param-name> 
      <param-value>NETWORKID</param-value> 
   </init-param>

   CMPI_DCAS_DB_HOSTADDR_COL_NAME

   This entry identifies the name of the column that contains the host address value (HOSTADDRESS).

   Code example:

   <init-param> 
      <param-name>CMPI_DCAS_DB_HOSTADDR_COL_NAME</param-name> 
      <param-value>HOSTADDRESS</param-value> 
   </init-param>

   CMPI_DCAS_DB_HOSTAPP_COL_NAME

   This entry identifies the name of the column that contains the host application value (APPLICATIONID).

   Code example:

   <init-param> 
      <param-name>CMPI_DCAS_DB_HOSTAPP_COL_NAME</param-name> 
      <param-value>APPLICATIONID</param-value> 
   </init-param>

   CMPI_DCAS_DB_HOSTID_COL_NAME

   This entry identifies the name of the column that contains the user's host identification value (HOSTID).

   Code example:

   <init-param> 
      <param-name>CMPI_DCAS_DB_HOSTID_COL_NAME</param-name> 
      <param-value>HOSTID</param-value> 
   </init-param>

   CMPI_DCAS_USE_NETID_AS_HOSTID

   This entry when set to True identifies the network ID as the RACF ID without performing any mapping.

   Code example:

   <init-param> 
      <param-name>CMPI_DCAS_USE_NETID_AS_HOSTID</param-name> 
      <param-value>False</param-value> 
   </init-param>
   

F. Add the optional DCAS client parameters (if desired).

Unlike the previous set of DCAS parameters, the following parameters are optional. Which of these parameters you add to the web.ml file depends on your environment and your objectives as an administrator:

CMPI_DCAS_TRACE_LEVEL

This parameter specifies the trace level for the DCAS plug-in. The trace messages are logged to the log file specified by CMPI_TRACE_LOG_FILE parameter. Depending on your Web application server, they may or may not be logged to the console. Trace level values include the following:

• 0 = None: No tracing. This is the default.
• 1 = Minimum: Trace APIs and parameters, return values, and errors.
• 2 = Normal: Trace Minimum plus internal APIs and parameters and informational messages.
• 3 = Maximum: Trace Normal plus Java exceptions.

Code example:

<init-param> 
   <param-name>CMPI_DCAS_TRACE_LEVEL</param-name> 
   <param-value>3</param-value> 
</init-param>

CMPI_DCAS_HOST_PORT

The DCAS host address is determined based on the destination host specified in the request. The default port address of 8990 is used, but you may override it using this parameter.

Code example:

<init-param> 
   <param-name>CMPI_DCAS_HOST_PORT</param-name> 
   <param-value>8990</param-value> 
</init-param>

CMPI_DCAS_USE_WELLKNOWN_KEYS

Prior to Host On-Demand 9.03, the parameter CMPI_DCAS_USE_WELLKNOWN_KEYS defaulted to true and indicated that the WellKnownTrustedCAs.p12 file should be used along with the CMPI_DCAS_KEYRING_FILE to look up the DCAS server certificate. Starting with Host On-Demand 9.03, this parameter defaults to false, and when it is true, it indicates that WellKnownTrustedCAs.p12 is the ONLY truststore that JSSE will use to look up the DCAS client and server certificates.

Code example:

<init-param> 
   <param-name>CMPI_DCAS_USE_WELLKNOWN_KEYS</param-name> 
   <param-value>true</param-value> 
</init-param>

CMPI_DCAS_WELLKNOWN_PASSWORD

If you choose to replace the provided WellKnownTrustedCAs.p12 with your own, you will need to specify the password here. Place your WellKnownTrustedCAs.p12 file in the same directory where the provided version was located.

This password should be encrypted using the encrypt password tool. For more information about the password encryption tool, refer to Appendix C. Password encryption tool.

Code example:

<init-param> 
   <param-name>CMPI_DCAS_WELLKNOWN_PASSWORD</param-name> 
   <param-value>tuBu9v8lHiJi1jt08UgHzA==</param-value> 
</init-param>

CMPI_DCAS_VERIFY_SERVER_NAME

This parameter indicates if the server host name in the certificate must be verified in addition to the certificate validation. The default is false.

Code example:

<init-param> 
   <param-name>CMPI_DCAS_VERIFY_SERVER_NAME</param-name> 
   <param-value>false</param-value> 
</init-param>

CMPI_DCAS_REQUEST_TIMEOUT

This parameter specifies the passticket request timeout in milliseconds. It should be less than the Host On-Demand macro time-out value. The default is 50000.

Code example:

<init-param> 
   <param-name>CMPI_DCAS_REQUEST_TIMEOUT</param-name> 
   <param-value>50000</param-value> 
</init-param>

The CMPI_DCAS_DB_PRESERVE_WHITESPACE and CMPI_DCAS_DB_CASE_SENSITIVE parameters are not used for Certificate-based Web Express Logon.

CMPI_DCAS_DB_PRESERVE_WHITESPACE

This parameter indicates whether to trim white spaces from the credential request parameters or not. If true, the white spaces are not trimmed. The default is false.

Code example:

<init-param> 
   <param-name>CMPI_DCAS_DB_PRESERVE_WHITESPACE</param-name> 
   <param-value>false</param-value> 
</init-param>

CMPI_DCAS_DB_CASE_SENSITIVE

This parameter specifies whether or not the DCAS plug-in converts the application ID and network ID of the user to lowercase characters and then uses the lcase() method to make SQL queries to the HCM database. This parameter should be set to true when using SQL applications that do not support the lcase() method.

Code example:

<init-param> 
   <param-name>CMPI_DCAS_DB_CASE_SENSITIVE</param-name> 
   <param-value>false</param-value> 
</init-param>

CMPI_DCAS_USE_DEFAULT_TRUSTSTORE

This parameter indicates that JSSE should use the default truststore to lookup the DCAS certificates. This parameter is overridden by the CMPI_DCAS_USE_WELLKNOWN_KEYS parameter when CMPI_DCAS_USE_WELLKNOWN_KEYS is set to true. The default is false.

CMPI_DCAS_NO_FIPS

This parameter indicates that the FIPS security provider should not be used. The default security provider will be used instead. The default is false.

Step 2: Save the WAR file and deploy the CMS.

Once you save the WAR file with your edits, you are ready to deploy the servlet to the Web server. Refer to your Web server application's documentation for details of how to deploy the servlet.

Step 3: Create the SSL key database.

In order to communicate with a DCAS server, an SSL connection must be established using client authentication. This requires you to create a key database file, for example, HODDCAS.p12. To create the file, use the Host On-Demand Certificate Management GUI on Windows and AIX platforms, or use a P12 keyring tool for other platforms. This key database file must contain the DCAS client's personal certificate and the DCAS server's certificate (public key) information. Also, the DCAS client certificate must be added/imported to the DCAS server's keyring for SSL client authentication.

For more information about creating this key database file, refer to the Planning, Installing, and Configuring Host On-Demand guide, which is located in the Host On-Demand Information Center at Start > Programs > IBM WebSphere Host On-Demand > Information Center or on the Web at http://publib.boulder.ibm.com/infocenter/hod9help.

To create a keyring database called HODDCAS.p12 file that will be specified in the CMPI_DCAS_KEYRING_FILE parameter in your web.xml file, take the following steps on a Windows machine:

1. Click Start > Programs > IBM WebSphere Host On-Demand > Administration > Certificate Management.
2. Click Key Database File > New. For the Key database type, select PKCS12. For File Name, type HODDCAS.p12. For Location, type C:\Program Files\IBM\HostOnDemand.

   You may choose a different name and location, if you prefer.

3. Click OK.
4. Type the password and make a note of it.
5. Click OK.
6. Add the DCAS's certificate to the key database. Be sure that the key database content is for the signer certificate. If it is not, select the pull-down menu and change it. Then select Add.
7. Select Binary DER data for the data type. If the server certificate is in ASCII format, select Base64-encoded ASCII data.
8. Type the file name in the For Certificate File Name field.
9. Type the path name in the Location field.
10. Click OK.
11. Enter a label for the certificate and click OK.
12. Add the DCAS client's certificate to the key database.
13. Change the Key database content to Personal Certificates and click Export/Import.
14. Select Import Key as the Action Type.
15. Select PKCS12 for the Key file type.
16. Type the client certificate's p12 file name in the File Name field and the path name in the Location field.
17. Click OK and enter the client certificate PIN.
18. Click OK.
19. Exit the Certificate Management GUI.

Step 4: Add the Web server's certificate to the Java keyring (Java 2 clients only).

This step only applies to Certificate-based Web Express Logon. If you are not using client certificates to authenticate users to a secure Web server, skip to the next step.

For Java 2 clients, if the Web Server's certificate is self-signed or has not been issued by a trusted Certificate Authority (CA), you must add the Web server's certificate to the Java keyring in order to for clients to make secure HTTPS connections to the Web server. This is not required for Java 1 clients.

To add the certificate to the keyring for Java 2 clients, take the following steps:

1. Open a Windows command prompt and input the following command. Note that the syntax of the command remains the same, regardless of the location of the library, which may vary depending on the vendor and version of the JRE:

   C:\Program Files\IBM\Java14\jre\bin>keytool -import -alias "HOD HTTP Server" 
   -file httphodnotnet.der -keystore ..\lib\security\cacerts -storepass changeit

2. If you input your command successfully, the output should look similar to the following:

   Owner: CN=hodnotnet.raleigh.ibm.com, OU=Test, O=HACP, L=Chapel Hill, ST=NC, POST 
   ALCODE=27514, C=US 
   Issuer: CN=hodnotnet.raleigh.ibm.com, OU=Test, O=HACP, L=Chapel Hill, ST=NC, POS 
   TALCODE=27514, C=US 
   Serial number: 40a27eaf Valid from: Tue May 11 15:44:47 EDT 2004 
   		until: Thu May 12 15:44:47 EDT 2005 
   Certificate fingerprints:          
   	MD5:  97:A9:31:88:4E:DC:77:08:C2:1D:1E:22:79:E8:4C:E8          
   	SHA1: 16:26:88:91:67:4D:71:FD:2A:D4:9B:47:0C:96:07:C3:8D:3F:CC:37 
   Trust this certificate? [no]:  yes 
   Certificate was added to keystore

3. Certificate-based Web Express Logon also requires a client certificate. This client certificate must be available to both the Web browser (usually stored in the browser keystore) as well as to Java 2. To make the certificate available, take these steps:
   1. Start the Java Control Panel for the JRE.
   2. On the Java Control Panel, go to the 'Advanced' tab and enter the following line for 'Java Runtime Parameters':

      -Djavax.net.ssl.keyStore=<C:\path\cert_name.pfx> -Djavax.net.ssl.keyStorePassword=
      <certficate password> -Djavax.net.ssl.keyStoreType=pkcs12

Step 5: Begin creating your HTML file.

The Host On-Demand Deployment Wizard allows you to create an HTML file that is used to launch Host On-Demand sessions. Within the Deployment Wizard, you can add, delete, configure, and start sessions. It guides you configuration choices and provides comprehensive help for the features. When you have finished selecting features, it creates the HTML and supporting files for you.

To begin creating your HTML file on a Windows machine, take the following steps:

1. Open the Deployment Wizard:
   • If you automatically installed the Deployment Wizard as part of the Windows Host On-Demand server, click Start > Programs > IBM WebSphere Host On-Demand > Administration > Deployment Wizard.
   • If you installed the Deployment Wizard from the Host On-Demand CD separately, click Start > Programs > IBM WebSphere Host On-Demand Deployment Wizard > Deployment Wizard.
2. On the Welcome to the Deployment Wizard window (Figure 7), select either to create a new HTML file or edit an existing file. Click Next.
   Figure 7. Welcome to the Host On-Demand Deployment Wizard window

   
3. If you are creating a new HTML file, select one of the following three configuration models on the Configuration Model window (Figure 8) and click Next:
   • HTML-based model
   • Configuration server-based model
   • Combined model

   If you are using the HTML-based or Combined models, you can create your HTML file as normal. However, if you are using the Configuration server-based model, you must configure the HTML file with additional steps. Refer to Appendix B. Web Express Logon using the Configuration server-based model for more information.

   Figure 8. Configuration Model window

   
4. On the Host Sessions window, click New/Import to open the Add session window (Figure 9). This window allows you to either create a new session (default) or import an existing session. To create a new session, select a host type, enter a session name, and a destination address. Click OK to return to the Host Sessions window.
   Figure 9. Add session window

   

Step 6: Configure the Host On-Demand session to use Web Express Logon.

Take the following steps to configure your Host On-Demand session to use Web Express Logon.

1. Using the Host Sessions window, highlight your session and select Properties under the Configure drop-down menu. On the left side of the window, select Express Logon under Connection.

   You may also open session properties by right-clicking a session icon and selecting Properties.

2. On the Express Logon window (see Figure 10), select Web Express Logon as the Express Logon type.
   Figure 10. 3270 Express Logon

   
3. Select the User Identity Type:
   • Local System ID: the user's local operating system ID. Web Express Logon currently supports Microsoft Active Directory (Windows Domain).
   • Network ID: the user's network security application ID. Web Express Logon currently supports IBM Tivoli Access Manager and Netegrity Siteminder.
   • Portal ID: the user's Portal Server ID. Web Express Logon currently supports Portal Server, a component of IBM WebSphere Portal.
4. Type the full URL of the credential mapper server, for example, https://server_name/junction/cm/CredMapper, where
   • server_name is the name of the authentication server
   • junction is the name of the junction (optional)
   • cm is the credential mapper servlet space
   • CredMapper is the servlet name
   Be sure that the servlet name matches the name in your XML file. For example, if you specify the servlet name in your host session as CredMapper, the code in your XML should look like the following:

   <servlet>
         <servlet-name>CredMapper</servlet-name>
         <display-name>CredMapper</display-name>    
   <servlet-class>com.ibm.eNetwork.security.sso.cms.CredMapper</servlet-class>

   The servlet that resides at this URL processes the HTTPS request from the user, performs a lookup, and returns the user's credentials. The Host On-Demand client uses the obtained credentials to automate the login process.
5. Click OK.

Step 7: Record the Web Express Logon macro.

To record a macro, you must first start a host session. To start a session from within the Deployment Wizard, highlight your session on the Host Sessions window (Figure 11) and click Actions > Start.

Figure 11. Host Sessions window

For details about how to record the Web Express Logon macro, refer to Appendix A. Recording the Web Express Logon macro.

Step 8: Finish creating your HTML file.

Now that you have configured your Host On-Demand session to use Web Express Logon and have recorded your login macro, you are ready to finish creating your HTML file using the Deployment Wizard. To finish creating the file, take the following steps:

1. On the Host Sessions window, click Next to open the Additional Options window (Figure 12). Make any changes that you desire and click Next.
   Figure 12. Additional Options window

   
2. On the File Name and Output Format window (Figure 13), enter the page title, the file name, choose the directory where you want to save your file, and check the Output HTML box. You should save your file to the Host On-Demand server in a directory known to your Web server; usually, this directory is your Host On-Demand server's publish directory. Click Create File(s) to finish creating your HTML file.
   Figure 13. File Name and Output Format window

   

Congratulations! You have taken all the necessary steps to implement Web Express Logon in a z/OS and DCAS environment. Your next step is to test the logon automation. If logon automation is not successful, that is, you are still being prompted with the host logon screen, refer to Troubleshooting Web Express Logon.

Configuring macro-based automation in a vault-style environment

In order to implement macro-based automation in a vault-style environment, you must configure your network security application and create your HCM database. For details about these steps, refer to the Web Express Logon for Host On-Demand white paper, located at

ftp://ftp.software.ibm.com/software/
network/hostondemand/library/whitepapers/wel2.pdf

.

The following steps show you how to edit and deploy the CMS provided with Host On-Demand and use the Deployment Wizard to create your HTML file, configure your 3270 host session, and record your login macro.

Steps 3-6 are designed for administrators who are planning to use the Deployment Wizard to create the HTML file, configure the host session to use Web Express Logon, and record the Web Express Logon macro all in one sitting. However, you may decide to create your HTML file first and then configure your session and create your macro later.

Step 1: Configure the Credential Mapper Servlet (CMS).

We recommend using a J2EE-compliant Web application server such as IBM WebSphere Application Server to configure and deploy the Credential Mapper Servlet (CMS). The CMS is supplied with Host On-Demand and must be deployed to a J2EE-compliant Web application server. At a high level, the CMS is responsible for the following tasks: (1) determine the client's identity by means of the local system ID, network ID, or Portal ID, (2) map the user's ID to the host ID, and (3) return the host credentials to the client as an XML document.

A. Locate the WAR files on the Host On-Demand Version 9 CD

The three WAR files are located in the cdimage\apps\wel subdirectory. Choose the one that matches your network security application:

• IBM Tivoli Access Manager: amcms.war
• Netegrity Siteminder: smcms.war
• Microsoft Active Directory (Windows Domain): wincms.war

If you have a different network security application, you will need to customize your own version of the CMS. For more information about how to do this, refer to Customizing Web Express Logon.

In addition to several other files, the WAR file contains the following files:

• web.xml: the servlet configuration file that you will edit in a later step
• Vault.xml: a sample file to help you better understand Vault parameters and their values
• was.policy: for IBM WebSphere Application Server users only, this file contains the required permissions for the CMS when Java 2 security is enabled (refer to Troubleshooting Web Express Logon for more information)

B. Become familiar with the INIT parameters in the web.xml file.

In this step, you will become familiar with the three default INIT parameters in the web.xml file.

• Host Credential Mapper (HCM) plug-in: The name of the parameter is CMPICredentialMappers, and the parameter value is a compound value that contains the list of all available HCM plug-ins, for example, CMPIDCASPlugin CMPIVaultPlugin, and CMPIDCASELFPlugin. Currently, the value is echo, but you will eventually replace this with the name of your HCM plug-in.

  Code example:

  <init-param>
     <param-name>CMPICredentialMappers</param-name>          
     <param-value>echo</param-value>  
  </init-param>
  

• Network Security plug-in: The name of the parameter is CMPINetworkSecurity, and the parameter value is the full path name of the class that handles the CMS interface into the network security application. This example is taken from the amcms.war file, which is based on the Tivoli Access Manager network security application:

  Code example:

  <init-param>
       <param-name>CMPINetworkSecurity</param-name>
       <param-value>com.ibm.eNetwork.security.sso.cms.CMNPIAccessManager</param-value>      
  </init-param>
  

  The Network Security plug-in does not apply to Microsoft Active Directory (Windows Domain), Portal Server, or Certificate-based Web Express Logon. For Microsoft Active Directory, the Windows login ID is used to identify the user. For Portal Server, the Portal ID is used to identify the user. For Certificate-based Web Express Logon, the client certificate is used to identify the user.

• echo plug-in: The name of this INIT parameter (echo) is the same as the value for the HCM plug-in. In a future step, you will replace echo with the name of your HCM plug-in.

  Host On-Demand provides this optional echo plug-in in case you want to confirm that you are able to deploy the CMS correctly before you begin editing the web.xml file. For example, after you deploy your CMS to a Web server, you can test it by entering the following syntax in a workstation's browser address bar: https://web_application_server_name/context_root/CredMapper, where web_application_server_name is the name of the Web application server, context_root is the name of the context root that you specify when deploying the CMS, and CredMapper is the name of the CMS itself.

  Some Web application server products allow you to deploy the servlet first and then edit the XML file. Other products, such as WebSphere Application Server V5, work best when you deploy the servlet after you edit the XML code. Refer to your product's documentation for details.

  Code example:

  <init-param>
     <param-name>echo</param-name>
     <param-value>com.ibm.eNetwork.security.sso.cms.CMPINetEcho,AuthType_All,*
  		</param-value>
  </init-param>
  

C. Edit the CMS-related parameters.

In this step, you will edit two of the three INIT parameters in the web.xml file. INIT parameters adapt the servlet to your environment. You will not edit the CMPINetworkSecurity parameter name or value.

1. Locate the CMPICredentialMappers parameter and change the name of its current value (echo) to the name of your HCM plug-in. In this example, the HCM plug-in is CMPIVaultPlugin:

   <init-param>
     <param-name>CMPICredentialMappers</param-name> 
     <param-value>CMPIVaultPlugin</param-value> 
   </init-param>

2. Locate the echo parameter and change the name of its current value (echo) with the name of the parameter value that you specified for the HCM plug-in (CMPIVaultPlugin).

   Now, replace the parameter value with a compound value that contains the full class path name of the implementing class, the authentication type to be used by the HCM plug-in, and the host mask. Separate these values with commas. In this example, com.ibm.eNetwork.security.sso.cms.CMPIVault is the full class path name, AuthType_All is the authentication type, and * is the host mask.

   Full class path name

   The CMS uses the value of the full class path name to create a class object of the specified type. That object is then used to handle CMS or HCM requests. The specified class file must be in the ...\WEB-INF\classes subdirectory in a loose file (not as a JAR file). From this location, the CMS will be able to access and use it whenever the need arises.

   Authentication type

   This value is used to identify the type of authentication that the requestor needs. Once you specify the desired authentication type, the CMS can better identify which credential mapper to select to handle the request. You can pair multiple authentication types together to give HCM plug-ins the freedom to support multiple authentication types. Use the vertical bar character to join multiple authentication types.

   The five identified authentication types are listed in Table 4:

   Authentication used in Secure Shell (SSH) on VT emulation or sftp sessions are not supported by the HCM plug-in.

   Table 4. Authentication types and descriptions

   Authentication type	Description
   AuthType_3270Host	Identifies the credentials to be used with a 3270 emulation
   AuthType_5250Host	Identifies the credentials to be used with 5250 emulation
   AuthType_VTHost	Identifies the credentials to be used with VT emulation
   AuthType_FTPPassword	Credentials used to access an FTP host
   AuthType_ConfigServer	Credentials identified by the token used to identify the user to the Host On-Demand configuration server (if you are using the Configuration server-based model
   AuthType_All	Identifies the credentials to be used for all authentication types

   Host mask

   The host mask is a secondary selection criteria used by the CMS to identify the most appropriate credential mapper. This value can contain one or more host addresses. Use the vertical bar character to join multiple addresses. Use the asterisks character to wildcard a host address. The wildcard character may start, end, or start and end a host address.

   Table 5 lists valid wild-carded addresses:

   Table 5. Host masks and values matched

   Host mask	Value matched
   *.raleigh.ibm.com	Matches all addresses that end with .raleigh.ibm.com
   ralvm*	Matches all addresses that start with ralvm
   *	Matches all
   *xyz*	Matches any host address that contains xyz

   Code example:

   <init-param>
     <param-name>CMPIVaultPlugin</param-name> 
     <param-value>com.ibm.eNetwork.security.sso.cms.CMPIVault, AuthType_All, *
   		</param-value> 
     </init-param>

D. Add optional CMS-related debugging parameters.

Add the following two optional debugging parameters to help you troubleshoot:

CMPI_TRACE_LOG_FILE

This parameter specifies the name of the log file. The value should be the full path to the log file, for example C:\Program Files\IBM\HostOnDemand\HODWEL.log on a Windows platform.

Code example:

<init-param> 
   <param-name>CMPI_TRACE_LOG_FILE</param-name> 
   <param-value>C:\Program Files\IBM\HostOnDemand\HOD\HODWEL.log
		</param-value> 
</init-param>

CMPI_CMS_TRACE_LEVEL

This parameter specifies the trace level for the CMS. The trace messages are logged to the log file specified by CMPI_TRACE_LOG_FILE parameter. Depending on your Web application server, they may or may not be logged to the console. Trace level values include the following:

• 0 = None: No tracing. This is the default.
• 1 = Minimum: Trace APIs and parameters, return values, and errors.
• 2 = Normal: Trace Minimum plus internal APIs and parameters and informational messages.
• 3 = Maximum: Trace Normal plus Java exceptions.

Code example:

<init-param> 
   <param-name>CMPI_CMS_TRACE_LEVEL</param-name> 
   <param-value>3</param-value> 
</init-param>

E. Add the required Vault parameters for the CMPIVaultPlugin.

Add the required Vault parameters to allow the HCM database to map the user ID to the host ID.

Use the Vault.xml file located in the WAR file as a reference for adding parameters when editing the web.xml file.

1. The following parameters contain all the relevant information needed to connect to your HCM database, which in this example is a JDBC database table. You can either configure access to an existing database or point to a newly created database. The level of security for the database varies according to database vendor. Refer to the database application's documentation for details.

   CMPI_VAULT_DB_ADDRESS

   This is a URL string that provides the address of the database. An example of this string is jdbc:db2://dtagw:6789/HODSSO.

   Code example:

   <init-param> 
      <param-name>CMPI_VAULT_DB_ADDRESS</param-name>  
   	 <param-value>jdbc:db2://dtagw.raleigh.ibm.com:6789/HODSSO</param-value> 
   </init-param>

   CMPI_VAULT_DB_NET_DRIVER

   This string contains the name of the class that acts as the network database driver. An example of this string is COM.ibm.db2.jdbc.net.DB2Driver. The location of this class is assumed to be in the existing class path.

   Code example:

   <init-param> 
      <param-name>CMPI_VAULT_DB_NET_DRIVER</param-name> 
      <param-value>COM.ibm.db2.jdbc.net.DB2Driver</param-value> 
   </init-param>

   CMPI_VAULT_DB_USERID

   This is the ID of the user account to use when accessing the database.

   Code example:

   <init-param> 
      <param-name>CMPI_VAULT_DB_USERID</param-name> 
      <param-value>admin</param-value> 
   </init-param>

   CMPI_VAULT_DB_PASSWORD

   This is the password of the user account to use when accessing the database.

   This parameter should be encrypted using the encrypt password tool. It is decrypted by the HCM plug-in before using it. For more information about the password encryption tool, refer to Appendix C. Password encryption tool.

   Code example:

   <init-param> 
      <param-name>CMPI_VAULT_DB_PASSWORD</param-name> 
      <param-value>tuBu9v8lHiJi1jt08UgHzA==</param-value> 
   </init-param> 

   CMPI_VAULT_DB_TABLE

   This entry identifies the table to use for the needed query.

   Code example:

   <init-param> 
      <param-name>CMPI_VAULT_DB_TABLE</param-name> 
      <param-value>HACP</param-value> 
   </init-param>

2. The following parameters should correspond directly to the column headings in your HCM database and should clearly indicate the contents of the columns. With some databases, such as IBM DB2, the column headings must be in all upper-case letters, for example, NETWORKID, HOSTADDRESS, APPLICATIONID, HOSTID, and PASSWORD.

   Based on the information provided by the first three of these parameters (network ID, host address, and the host application ID), you can make a SQL query of the database to get the host ID. The result of the query is entered in the host ID (HOSTID) column. Assuming that the query is successful, a call is made to the DCAS to request the passticket.

   CMPI_VAULT_DB_NETID_COL_NAME

   This entry identifies the name of the column that contains the network ID value (NETWORKID).

   Code example:

   <init-param> 
      <param-name>CMPI_VAULT_DB_NETID_COL_NAME</param-name> 
      <param-value>NETWORKID</param-value> 
   </init-param>

   CMPI_VAULT_DB_HOSTADDR_COL_NAME

   This entry identifies the name of the column that contains the host address value (HOSTADDRESS).

   Code example:

   <init-param> 
      <param-name>CMPI_VAULT_DB_HOSTADDR_COL_NAME</param-name> 
      <param-value>HOSTADDRESS</param-value> 
   </init-param>

   CMPI_VAULT_DB_HOSTADDR_COL_NAME

   This entry identifies the name of the column that contains the host address value (HOSTADDRESS).

   Code example:

   <init-param> 
      <param-name>CMPI_VAULT_DB_HOSTADDR_COL_NAME</param-name> 
      <param-value>HOSTADDRESS</param-value> 
   </init-param>

   CMPI_VAULT_DB_HOSTAPP_COL_NAME

   This entry identifies the name of the column that contains the host application value (APPLICATIONID).

   Code example:

   <init-param> 
      <param-name>CMPI_VAULT_DB_HOSTAPP_COL_NAME</param-name> 
      <param-value>APPLICATIONID</param-value> 
   </init-param>

   CMPI_VAULT_DB_HOSTID_COL_NAME

   This entry identifies the name of the column that contains the user's host identification value (HOSTID).

   Code example:

   <init-param> 
      <param-name>CMPI_VAULT_DB_HOSTID_COL_NAME</param-name> 
      <param-value>HOSTID</param-value> 
   </init-param>

   CMPI_VAULT_DB_HOSTPW_COL_NAME

   This entry identifies the name of the column that contains the host password value (PASSWORD).

   Code example:

   <init-param> 
      <param-name>CMPI_VAULT_DB_HOSTPW_COL_NAME</param-name> 
      <param-value>PASSWORD</param-value> 
   </init-param>

F. Add the optional Vault parameters (if desired).

Unlike the previous set of Vault parameters, the following parameters are optional. Which of these parameters you add to the web.ml file depends on your environment and your objectives as an administrator:

CMPI_VAULT_TRACE_LEVEL

This parameter specifies the trace level for the Vault plug-in. The trace messages are logged to the log file specified by CMPI_TRACE_LOG_FILE parameter. Depending on your Web application server, they may or may not be logged to the console. Trace level values include the following:

• 0 = None: No tracing. This is the default.
• 1 = Minimum: Trace APIs and parameters, return values, and errors.
• 2 = Normal: Trace Minimum plus internal APIs and parameters and informational messages.
• 3 = Maximum: Trace Normal plus Java exceptions.

Code example:

<init-param> 
   <param-name>CMPI_VAULT_TRACE_LEVEL</param-name> 
   <param-value>3</param-value> 
</init-param>

CMPI_VAULT_DB_PRESERVE_WHITESPACE

This parameter indicates whether to trim white spaces from the credential request parameters or not. If true, the white spaces are not trimmed. The default is false.

Code example:

<init-param> 
   <param-name>CMPI_VAULT_DB_PRESERVE_WHITESPACE</param-name> 
   <param-value>false</param-value> 
</init-param>

CMPI_VAULT_DB_CASE_SENSITIVE

This parameter specifies whether or not the Vault plug-in converts the application ID and network ID of the user to lowercase characters and then uses the lcase() method to make SQL queries to the HCM database. This parameter should be set to true when using SQL applications that do not support the lcase() method.

Code example:

<init-param> 
   <param-name>CMPI_VAULT_DB_CASE_SENSITIVE</param-name> 
   <param-value>false</param-value> 
</init-param>

Step 2: Save the WAR file and deploy the CMS.

Once you save the WAR file with your edits, you are ready to deploy