Introduction

Single sign-on (SSO) is a property of access control to multiple related, yet independent, software systems. With this property, a user logs in with a network credential to gain access to any of several- related systems.

In this post, we will understand how we can setup single sign-on in HCL ZIE for Transformation (ZIETrans) that provides a mechanism to automatically log on to the Host system.

Web Express Logon (WEL), a feature provided in ZIETrans allows users to access host applications using their network security credentials. It provides a means for a ZIETrans application to accept user network credential information, previously authenticated by a network security layer, and use it to generate host credentials instead of requiring a ZIETrans user to navigate host logon screens. To map Network Credentials to the Host Credentials, ZIETrans provides Credential Mapper plug-in. If these supplied plug-ins do not meet your needs, then you can create your own plug-in and integrate it into WEL.

Implementation

There are few components in the ZIETrans project, which must be configured to implement Web Express Logon. The configuration steps are:

1.       Enable and Configure WEL.

2.       Record a WEL Macro.

3.       Configure ZIETrans to invoke the WEL Macro.

Enable and Configure Web Express Logon

Complete the following steps to enable WEL in your ZIETrans Web Application:

1.       Go to Connection Editor.

2.       Select Security Tab.

3.       Select Use Web Express Logon and click Configure.

To configure WEL, you need to identify the Network Security and Credential Mapper plug-ins. Web Express Logon relies on these plug-ins to provide the network user ID and host access credentials. You can either select the plug-ins provided in the ZIETrans Project or can create your own custom plug-ins. For more information, refer to this link to create your own custom plug-in.

Network Security Plug-ins

Plug-in types available in ZIETrans are:

1.       None (used when no network security package is being used, as with Certificate Express Logon).

2.      Custom – If none of the provided plug-ins meet your demand, then you can create your own custom plug-in and specify the details           in this section.

3.       Access Manager Network Security

Figure 1: Available Network Security Plug-ins

Credential Mapper Plug-ins
Like security plug-ins, ZIETrans provides few Credential Mappers that you can use for your WEL implementation. These plug-ins are:

  1. DCAS/RACF/JDBC Credential Mapper: DCAS and RACF are used with the z/OS operating system to obtain pass tickets. A JDBC-accessible repository is required to map the user’s network ID to the user’s host ID. When this option is selected, use parameter ‘CMPI_DCAS_TRUSTSTORE’ to provide the path to the SSL KeyStore file, which you have created for DCAS connection.
  2. Certificate-based DCAS/RACF Credential Mapper: DCAS and RACF are used with the z/OS operating system to obtain pass tickets. This plug-in does not require a JDBC-accessible repository because a certificate is passed directly to DCAS, and a host ID and pass ticket pair is returned.
  3. JDBC Vault Credential Mapper: Any JDBC/ODBC compliant repository, such as DB2, Oracle, even an Excel spreadsheet on Windows can be used. This repository is used to store host user IDs and passwords.
  4. Test Credential Mapper: This plug-in is provided to test WEL.

Figure 2: Available Credential Mapper Plug-ins

Recording Web Express Logon Macro

A WEL macro is slightly different from any other regular ZIETrans macro. You must enable use of WEL at the time of prompt for user ID and password, and to provide an application ID (in case of a 3270 connection).

1.       From the ZIETrans toolbar, click Open Host Terminal icon to start a session.

2.       Click Record Macro icon.

3.       Navigate to the screen that contains the User ID input field.

4.       Select Add Prompt Action icon from the toolbar, and the Add Prompt Action wizard is displayed. Fill in the fields.

        Refer to Figure 3.

5.      Select Use Web Express Logon in the Add Prompt Action window. Select the Prompt type for User ID and enter the Application ID             in  the Application ID field.

Figure 3: Prompt for User ID

6.       Navigate to the Password input field.

7.       Select Add Prompt Action icon. The Add Prompt Action window is displayed.

8.       Select Use Web Express Logon with Prompt type of Password and enter Application ID in the Application ID field.

        Refer to Figure 4.

Figure 4: Prompt for Password

9.     When you have completed the login process, click Stop Macro icon, and save the macro.

Configure ZIE for Transformation to invoke WEL Macro

Once the macro is created, you need to define methods to invoke it in your project. Below are few such methods to choose from:

  1. ​Define WEL logon macro as the connect macro for the connection. Such macros run automatically when the connection is initially created. Go to menu item, View -> Macros -> Connect macro to select the WEL macro from the drop-down list.
  2. Invoke the WEL logon macro with the Play Macro option at the Connect event. A connect event occurs when your ZIETrans application connects to the host server. Go to Projects Settings View -> Events -> Connect -> Actions -> Add -> Play Macro and select the WEL macro.
  3. Invoke the WEL logon macro with a Play Macro option on screen customization. A screen customization is a ZIETrans screen event designed to perform a set of actions when a host screen is recognized. On a selected screen (for example, login screen of the application) customization wizard, go to Actions -> Add -> Play Macro and select the WEL macro.
  4. Create an Integration Object from the macro. To create an Integration Object, right-click the macro and select Create Integration Object. You can run these integration objects from a Business logic or build Struts, JSF Web pages, and so on.

Summary

There are certain things you need to consider before you plan for WEL; for example, your host type, the kind of host authentication needed like DCAS/RACF or JDBC, the security and credential mapper plug-ins, and so on. Once you understand these basic requirements, you can setup WEL to allow your users to automatically log into the host system without seeing the Login screen. Apart from increasing the productivity, it will also help you to reduce the support calls to reset forgotten passwords and user ids.

References

Single Sign-On: https://en.wikipedia.org/wiki/Single_sign-on

HCL ZIETrans: https://www.hcltechsw.com/wps/portal/products/zie/home

HCL ZIETrans WEL:

https://zietrans.hcldoc.com/help/index.jsp?topic=%2Fcom.ibm.hats.doc%2Fdoc%2Fugsslsec.htm&cp=0_1_1_16_2&anchor=wel

Creating WEL Custom plug-ins in HCL ZIETrans:

https://zietrans.hcldoc.com/help/index.jsp?topic=%2Fcom.ibm.hats.doc%2Fdoc%2Fpgplugin.htm

Contact

For further information on automation and services offerings, please write to: ZIO@hcl.com

Comment wrap
Further Reading
article-img
Mainframes  /  August 11, 2020
Automation using PCSAPI
By: Sudhir Ranjan Rout, Senior Developer
ZIEWin provides an emulator interface to communicate with IBM Mainframe/AS400/VT sessions. This is used for reading & updating host data and interfacing host with other applications.
article-img
Mainframes  /  June 5, 2020
Managed ZIEWin
By: Balamurugan Shanmugam, Chief Programmer of HCL ZIE
Introduction Z and I Emulator for Windows (ZIEWin) is an emulator interface that connects to IBM System Z (Mainframes) and System I (AS/400) systems from a Windows system. In ZIEWin, the connection configuration details such as IP, TLS protocol, Host Codepage, font, and so on can be saved in a profile file. A profile can be used to open a session as in the saved configuration. Users can manage the profiles using Session Manager, where the user gets to create new sessions, open existing sessions within the local device ( a laptop or a PC). But, in this scenario a user can have profiles on a single machine only. This restriction is dismissed with new Managed ZIEWin feature introduced in ZIEWin version 1.1. Using Managed ZIEWin, users having different devices can work on different devices with the same set of profile files in "Online" mode. Managed ZIEWin is a solution where a ZIEWin user can store the profiles on a centralized server. User can access the centralized server by logging in using Session Manager Online utility from any device to retrieve the profiles. This centralized server is a ZIE Server that  can be installed by the Administrator. ZIEWin client needs to be configured to a ZIE Server to store user profiles in a user- dedicated space on the server. Once the ZIE Server is configured, user can log in and open Session Manager Online; any creation or modification of profiles from here is directly saved on the ZIE Server. Managed ZIEWin also provides additional features like "Create User", "Upload\Download Profiles", and "Profile Migration". Now, let us understand how to setup a Managed ZIEWin. Setting up Managed ZIEWin To setup a Managed ZIEWin client at the user end, the administrator must install ZIE Server and provide IP address and port of...
article-img
Mainframes  /  May 19, 2020
Converter Solution for migration of automated scripts to HCL ZIE Emulators
By: Shivaprasad Nanjundaswamy, Technical Specialist at HCL Software
Each Emulator provides specific automation APIs to create scripts to automate the business process. Automated Scripts contains core logics to read, write, update, and copy data in Mainframe/AS400 emulators which helps is accomplishing every-day business. When migrating to HCL ZIE for Windows (ZIEWin)/ZIE for Web (ZIEWeb), apart from migration of session properties and keyboard mapping, it is also important to migrate automated scripts to make it compatible and run in the new emulator without breaking automated core logic. These automated scripts can be recorded macros, Excel-based VBA automation code, VBS, or other supported formats. Migration to HCL ZIEWin and HCL ZIEWeb (EHLLAPI programs only) is made easy with HCL Lab services proprietary Script Converter Solution which can swiftly convert external emulator automation scripts to HCL ZIEWin or HCL ZIEWeb compatible.  The HCL ZIEWeb supports Excel VBA scripts written in EHLLAPI with IBM EHLLAPI bridge (32-bit only). Customers migrating to HCL ZIEWin or HCL ZIEWeb can connect with the HCL Lab Services team to leverage the Script Converter Solution for a semi-automated migration solution HCL ZIEWin and HCL ZIEWeb are HCL equivalent products of IBM Personal Communication (PCOMM) and IBM Host on Demand (HOD) that have the same feature set and functionalities as later. Script Converter Solution: Converter solution is a standalone application provides a graphical interface to convert a single script or multiple scripts in a directory from competitive products script to HCL ZIEWin/ZIEWeb equivalent. The solution automatically identifies script file type, script API type, and converts to relevant conversion format of ZIEWin or ZIEWeb. It can also convert script which contains multiple external emulator API types in a single file. Converted scripts can be viewed in comparison editor to compare with the original scripts. A comparison editor helps in reviewing and modifying converted scripts before completing the final conversion...
a/icon/common/search Created with Sketch.