New features for ACF2 Version 16.0 include Support for IBM Express Logon Feature (ELF) (LU00711) (CARS2110).
The IBM ELF is supported on two-tier and three-tier network designs. The two-tier design uses the z/OS® TN3270E Telnet server. The three-tier design uses a middle-tier Telnet server and a Digital Certificate Access Server (DCAS). This document discusses the two-tier design and assumes an existing setup and configuration of the IBM MFA for z/OS product and added appropriate MFA parameters to the ACF2 user profile for the users that need to log in with MFA tokens.
See also the overview and diagram on the IBM page Express Logon Feature.
Component : ACF2 for z/OS
With MFA, cache tokens are recommended, so as not to be concerned with configuring pass tickets to the application that a TN3270 emulator is connecting to.
If the front end application is a session manager, such as TPX, pass tickets must be set up for the downstream applications.
Either all client certificates must be registered with ACF2 or certificate name filters must be created for ACF2 for the client certificates by using the RACDCERT command. This associates the certificates with the IDs of users who are attempting to log on.
Examples of the implementation steps are given in the attached Powerpoint file "Certificate Based Logon - TN3270_1653992057018.pptx".