8.6 Set up Automated Sign-On for Mainframe Sessions

Using the Automated Sign-On for Mainframe Add-On, you can enable a user to authenticate to a front-end system using a modern form of authentication (such as a smart card, certificate, LDAP password, Kerberos, etc.) and then be automatically logged on to a z/OS mainframe application.

NOTE:The Automated Sign-On for Mainframe Add-on requires the base installation of the Management and Security Server (MSS), which provides the Administrative Server. This add-on is not included with the Management and Security Server license. To activate this product, you must purchase a separate license.

Automated Sign-On solves problems associated with credentials typically required for mainframe applications. Mainframe applications prompt for traditional credentials (a user name and password) and are typically hard-coded to accept a maximum of 8 characters for these credentials. Changing the password to match the user enterprise password is often not practical because of the mainframe limits on password character length and coordination of password changes. Because of this limitation, logging on to mainframe applications requires an identify that is separate from the user enterprise identity.

This add-on solves this problem by providing middleware that maps the user enterprise identity to the user mainframe identity. When using a Reflection session configured to use Automated Sign-On, the user authenticates to the front-end system using a modern authentication method. After authentication through the front-end system, the user is automatically logged into the host application.

8.6.1 Implementing Automated Sign-On for Mainframe

To implement Automated Sign On, you’ll need to configure the Administrative Server, the Reflection emulation client session, and the z/OS mainframe as shown in the Automated Sign-On for Mainframe Administrator Guide in the Host Access Management and Security Server Documentation .

The process for setting up automated sign-on depends on your environment

Process for Centrally Managed Environments

If your environment is set up to centrally manage and control all session document files on an MSS server and you do not allow users to create their own session documents, use the following instructions in the Automated Sign-On for Mainframe Administrator Guide in the Host Access Management and Security Server Documentation .

  • Reflection or InfoConnect Desktop - Managed Sessions in the Enable your emulator for automated sign-on section

Process for Unmanaged Environments

If your environment is not set up to centrally manage session document files with MSS and you want to use MSS only for automated sign-on, use the following instructions in the Automated Sign-On for Mainframe Administrator Guide in the Host Access Management and Security Server Documentation .

  • Reflection or InfoConnect Desktop - Workspace Automated Sign-on in the Enable your emulator for automated sign-on section