Connection-based automation: an overview

Unlike macro-based automation, connection-based automation does not require a macro because the client and the host are able to connect without having to provide the user with a login screen. In macro-based automation, a macro is required to automate this screen. Connection-based automation supports the following two environments:

• Telnet-negotiated login
• FTP login

Telnet-negotiated login
Currently, Web Express Logon supports OS/400 (V5R2 and later) telnet-negotiated environments that have Kerberos authentication enabled. It does not require the CMS, a login macro, a Network Security plug-in, nor the HCM database. Instead, it extends the existing single sign-on capability of the OS/400 operating system.

In order for connection-based automation to function in this environment, you must have the following prerequisites in place:

• Windows Domain Controller (Microsoft Active Directory)
• key distribution center (KDC)
• Kerberos network authentication enabled on each target iSeries system
• OS/400 V5R2 (5722-SS1) or later as the host operating system
• one or more of the following client operating systems:
  • Windows 2000 Professional and Server
  • Windows XP Professional
  • Windows 2003 Server

You must configure your OS/400 environment to use single sign-on capability in order to implement connection-based logon automation. The OS/400 environment provides single sign-on capability through a combination of network authentication service (NAS) (opens new browser) and an IBM technology called Enterprise Identity Mapping (EIM) (opens new browser). Host On-Demand uses this existing methodology for acquiring credentials to allow users to bypass the 5250 session login screen. Both NAS and EIM technology are available with the OS/400 (V5R2 and later) operating system.

The following graphic illustrates the overall process of connection-based automation in an OS/400 environment with Kerberos authentication enabled:

1. A user logs on to the Windows domain. The Windows domain gives users access to the network.
2. The user requests a Host On-Demand session from the Host On-Demand server.
3. The Host On-Demand session initializes and requests a Kerberos ticket from the KDC. This is how users gain access to the individual resources within the network.
4. The user attempts to create a connection with the identified session using the Kerberos ticket as the credential.
5. The iSeries host validates the ticket with the KDC.
6. The user is successfully logged in.

FTP login
Web Express Logon provides an automated way for users to log on to FTP hosts by providing a central repository for storing and retrieving user's credentials. Although this process is similar to configuring Web Express Logon in a vault-style environment (see Scenario 2: Configuring Web Express Logon in a vault-style environment on page 65), this type of automation is different because the user's credentials are retrieved from the CMS at the time the connection is established. In other words, it does not require a macro. Currently, Host On-Demand allows you to statically store a user's ID and password in the FTP configuration; however, Web Express Logon extends this approach by automating the user credential retrieval process.

In order to enable Web Express Logon for FTP sessions, follow the steps for Scenario #2: Configuring Web Express Logon in a vault-style environment. Look for the following icon to provide you specific information that applies to FTP sessions:

Click Next for an overview of the three real-life scenarios.