HCL ZIE for Transformation - Single Sign-on Implementation Guide

Introduction

Single sign-on (SSO) is a property of access control to multiple related, yet independent, software systems. With this property, a user logs in with a network credential to gain access to any of several- related systems.

In this post, we will understand how we can setup single sign-on in HCL ZIE for Transformation (ZIETrans) that provides a mechanism to automatically log on to the Host system.

Web Express Logon (WEL), a feature provided in ZIETrans allows users to access host applications using their network security credentials. It provides a means for a ZIETrans application to accept user network credential information, previously authenticated by a network security layer, and use it to generate host credentials instead of requiring a ZIETrans user to navigate host logon screens. To map Network Credentials to the Host Credentials, ZIETrans provides Credential Mapper plug-in. If these supplied plug-ins do not meet your needs, then you can create your own plug-in and integrate it into WEL.

Implementation

There are few components in the ZIETrans project, which must be configured to implement Web Express Logon. The configuration steps are:

1.       Enable and Configure WEL.

2.       Record a WEL Macro.

3.       Configure ZIETrans to invoke the WEL Macro.

Enable and Configure Web Express Logon

Complete the following steps to enable WEL in your ZIETrans Web Application:

1.       Go to Connection Editor.

2.       Select Security Tab.

3.       Select Use Web Express Logon and click Configure.

To configure WEL, you need to identify the Network Security and Credential Mapper plug-ins. Web Express Logon relies on these plug-ins to provide the network user ID and host access credentials. You can either select the plug-ins provided in the ZIETrans Project or can create your own custom plug-ins. For more information, refer to this link to create your own custom plug-in.

Network Security Plug-ins

Plug-in types available in ZIETrans are:

1.       None (used when no network security package is being used, as with Certificate Express Logon).

2.      Custom – If none of the provided plug-ins meet your demand, then you can create your own custom plug-in and specify the details           in this section.

3.       Access Manager Network Security

Figure 1: Available Network Security Plug-ins

Credential Mapper Plug-ins
Like security plug-ins, ZIETrans provides few Credential Mappers that you can use for your WEL implementation. These plug-ins are:

1. DCAS/RACF/JDBC Credential Mapper: DCAS and RACF are used with the z/OS operating system to obtain pass tickets. A JDBC-accessible repository is required to map the user’s network ID to the user’s host ID. When this option is selected, use parameter ‘CMPI_DCAS_TRUSTSTORE’ to provide the path to the SSL KeyStore file, which you have created for DCAS connection.
2. Certificate-based DCAS/RACF Credential Mapper: DCAS and RACF are used with the z/OS operating system to obtain pass tickets. This plug-in does not require a JDBC-accessible repository because a certificate is passed directly to DCAS, and a host ID and pass ticket pair is returned.
3. JDBC Vault Credential Mapper: Any JDBC/ODBC compliant repository, such as DB2, Oracle, even an Excel spreadsheet on Windows can be used. This repository is used to store host user IDs and passwords.
4. Test Credential Mapper: This plug-in is provided to test WEL.

Figure 2: Available Credential Mapper Plug-ins

Recording Web Express Logon Macro

A WEL macro is slightly different from any other regular ZIETrans macro. You must enable use of WEL at the time of prompt for user ID and password, and to provide an application ID (in case of a 3270 connection).

1.       From the ZIETrans toolbar, click Open Host Terminal icon to start a session.

2.       Click Record Macro icon.

3.       Navigate to the screen that contains the User ID input field.

4.       Select Add Prompt Action icon from the toolbar, and the Add Prompt Action wizard is displayed. Fill in the fields.

        Refer to Figure 3.

5.      Select Use Web Express Logon in the Add Prompt Action window. Select the Prompt type for User ID and enter the Application ID             in  the Application ID field.

Figure 3: Prompt for User ID

6.       Navigate to the Password input field.

7.       Select Add Prompt Action icon. The Add Prompt Action window is displayed.

8.       Select Use Web Express Logon with Prompt type of Password and enter Application ID in the Application ID field.

        Refer to Figure 4.

Figure 4: Prompt for Password

9.     When you have completed the login process, click Stop Macro icon, and save the macro.

Configure ZIE for Transformation to invoke WEL Macro

Once the macro is created, you need to define methods to invoke it in your project. Below are few such methods to choose from:

1. ​Define WEL logon macro as the connect macro for the connection. Such macros run automatically when the connection is initially created. Go to menu item, View -> Macros -> Connect macro to select the WEL macro from the drop-down list.
2. Invoke the WEL logon macro with the Play Macro option at the Connect event. A connect event occurs when your ZIETrans application connects to the host server. Go to Projects Settings View -> Events -> Connect -> Actions -> Add -> Play Macro and select the WEL macro.
3. Invoke the WEL logon macro with a Play Macro option on screen customization. A screen customization is a ZIETrans screen event designed to perform a set of actions when a host screen is recognized. On a selected screen (for example, login screen of the application) customization wizard, go to Actions -> Add -> Play Macro and select the WEL macro.
4. Create an Integration Object from the macro. To create an Integration Object, right-click the macro and select Create Integration Object. You can run these integration objects from a Business logic or build Struts, JSF Web pages, and so on.

Summary

There are certain things you need to consider before you plan for WEL; for example, your host type, the kind of host authentication needed like DCAS/RACF or JDBC, the security and credential mapper plug-ins, and so on. Once you understand these basic requirements, you can setup WEL to allow your users to automatically log into the host system without seeing the Login screen. Apart from increasing the productivity, it will also help you to reduce the support calls to reset forgotten passwords and user ids.

References

Single Sign-On: https://en.wikipedia.org/wiki/Single_sign-on

HCL ZIETrans: https://www.hcltechsw.com/zie

HCL ZIETrans WEL:

https://zietrans.hcldoc.com/help/index.jsp?topic=%2Fcom.ibm.hats.doc%2Fdoc%2Fugsslsec.htm&cp=0_1_1_16_2&anchor=wel

Creating WEL Custom plug-ins in HCL ZIETrans:

https://zietrans.hcldoc.com/help/index.jsp?topic=%2Fcom.ibm.hats.doc%2Fdoc%2Fpgplugin.htm

Contact

For further information on automation and services offerings, please write to: ZIO@hcl.com