ACF2 support of IBM Express Logon Facility (ELF) with MFA
search cancel

ACF2 support of IBM Express Logon Facility (ELF) with MFA


Article ID: 236131


Updated On:


ACF2 - z/OS


New features for ACF2 Version 16.0 include Support for IBM Express Logon Feature (ELF) (LU00711) (CARS2110).

The IBM ELF is supported on two-tier and three-tier network designs. The two-tier design uses the z/OSĀ® TN3270E Telnet server. The three-tier design uses a middle-tier Telnet server and a Digital Certificate Access Server (DCAS). This document discusses the two-tier design and assumes an existing setup and configuration of the IBM MFA for z/OS product and added appropriate MFA parameters to the ACF2 user profile for the users that need to log in with MFA tokens. 

See also the overview and diagram on the IBM page Express Logon Feature.




Component : ACF2 for z/OS



With MFA, cache tokens are recommended, so as not to be concerned with configuring pass tickets to the application that a TN3270 emulator is connecting to.  

If the front end application is a session manager, such as TPX, pass tickets must be set up for the  downstream applications.

Either all client certificates must be registered with ACF2 or certificate name filters must be created for ACF2 for the client certificates by using the RACDCERT command. This associates the certificates with the IDs of users who are attempting to log on.

1. Setup a separate TN3270 server port 2023 with EXPRESSLOGON 

2. Export the X.509 cert to mainframe dataset.

3. Use the ACF2 INSERT command to add the X.509 cert to ACF2 and associate with a mainframe userid.

4. Create a new keyring "ELF"  and use the ACF2 CONNECT command to add certs to the keyring. 


Additional Information

Examples of the implementation steps are given in the attached Powerpoint file "Certificate Based Logon - TN3270_1653992057018.pptx".


Certificate Based Logon - TN3270_1653992057018.pptx get_app