IBM WebSphere Host On-Demand:

Transcription

1 IBM WebSphere Host On-Demand: Version 5 Enhancements Smaller and smarter clients, enhanced administration and security options Screen Customizer Version 2 with new programming API Programming Toolkit support for Java 1.2 George Baker Joel Canon Gary Griffith Gerd Hempel Peter Lenhard ibm.com/redbooks

2

3 SG International Technical Support Organization IBM WebSphere Host On-Demand: Version 5 Enhancements March 2001

4 Take Note! Before using this information and the product it supports, be sure to read the general information in Appendix D, Special notices on page 285. First Edition (March 2001) This edition applies to IBM WebSphere Host On-Demand Version 5. Comments may be addressed to: IBM Corporation, International Technical Support Organization Dept. HZ8 Building 662 P.O. Box Research Triangle Park, NC When you send information to IBM, you grant IBM a non-exclusive right to use or distribute the information in any way it believes appropriate without incurring any obligation to you. Copyright International Business Machines Corporation All rights reserved. Note to U.S Government Users Documentation related to restricted rights Use, duplication or disclosure is subject to restrictions set forth in GSA ADP Schedule Contract with IBM Corp.

5 Contents Preface xi The team that wrote this redbook xi Comments welcome xiii Chapter 1. Introduction Version 4 features Version 5 enhancements Improved cached client Automatic installation on AIX Deployment Wizard Express logon Disabling functions AS/400 proxy server Native authentication Keyboard remap Host print enhancements Service Manager port Configuration servlet Telnet-negotiated security (TLS-based) Multiple session icon Blink attribute support and color remap improvements Session menu enhancements Code page enhancements Hindi enablement Java 2 platform support ENPTUI support VT emulation enhancements Screen Customizer default GUI National language support Toolkit update IBM Screen Customizer Version Chapter 2. Planning Packaging Platform support Supported server operating systems Server disk space requirements Locally installed clients Migration from Version 3 or Version Windows NT and 2000 Server Other operating systems Copyright IBM Corp iii

6 2.4.3 Upgrading from Version Upgrading from Version Browser support Types of clients Administration client Emulator client Database clients Utilities Download clients Cached client Locally installed client Types of users Registered users Anonymous users Security Configuration servlet TLS-based Telnet security Server authentication Client authentication Express logon Native authentication Redirector Chapter 3. Host On-Demand installation Windows platforms Automated InstallShield Silent mode installation Local installation AIX Automated installation Silent mode installation HP-UX, Linux, and Sun Solaris AS/ Configuring the Web server Uninstalling Host On-Demand Installing the AS/400 Toolbox for Java OS/2 and NetWare System/ Chapter 4. Client changes Componentization Smart caching Color remapping iv IBM WebSphere Host On-Demand: Version 5 Enhancements

7 4.3.1 V3270 and 5250 elements VT elements Operator information area elements Modifying screen colors Blink attribute Keyboard remapping Assigning key functions Key repetition Macro key assignment Searching for key assignment Copy and Paste function Error and status information Enhanced menu support Improved default GUI Chapter 5. Administration New Administration Notebook Configuring groups and users Creating a group Creating a new Host On-Demand user Using native authentication Administering groups, sessions and users Filtering Configuring sessions Disabling emulator functions Configuring multiple sessions Administering the Redirector LDAP updates OS/400 Proxy Server Native platform authentication Creating a cached client preload CD Copy required files Create the HTML Copy the files Install from the CD Changing the Service Manager s port Server modifications Notifying the Host On-Demand client Chapter 6. Deployment Wizard Starting the Deployment Wizard Customizing HTML pages Download client using the configuration server v

8 6.2.2 Cached client using the configuration server Cached client not using the configuration server Download client not using the configuration server Running the Deployment Wizard from the installation CD Execution from Windows server Files created by the Deployment Wizard Distributing custom HTML pages OS/390 considerations Chapter 7. Native authentication Native platform authentication requirements Installation and activation of native authentication service Windows NT OS/ AIX Debug information Chapter 8. Configuration servlet Configuring WebSphere Application Server IBM WebSphere graphical configuration Enabling clients Specifying the location of the configuration servlet Direct reference Indirect reference XMLConfig Utility Add configuration servlet to default_app Add configuration servlet to new application Implementation scenarios Load balancing Native authentication Problem determination Chapter 9. Express logon Overview System requirements Application requirements Functional description The RACF-secured sign-on PassTicket Configuring the client Recording the macro - basic definitions Recording the macro - user ID and password Recording the macro - finishing steps The macro Configuring the TN3270 server vi IBM WebSphere Host On-Demand: Version 5 Enhancements

9 9.7.1 Communications Server for AIX Communications Server for OS/ Communications Server for NT and Windows Chapter 10. Telnet-negotiated security Session configuration Session negotiation Chapter 11. Print enhancements Printer definition file support Printer administration Session configuration Tips VT print passthrough Chapter 12. AS/ Toolbox Model 3 Support ENPTUI support Chapter 13. Java 1.2 compatibility Chapter 14. Screen Customizer Screen Customizer and Host On-Demand Screen Customizer and Personal Communications Manager Screen Customizer overview What s new in Screen Customizer Version Silent installation Runtime installation AIX UNIX AS/ Novell NetWare OS/ Administrator and studio installation Migration Migrating from ResQ!Net Migrating from IBM Screen Customizer Version The Screen Customizer development cycle Administration Screen customization Template development Deployment Service Bundler Windows system vii

10 Command line interface Application programming interface Custom Terminal Bean Screen Customizer Component Interface (SCCI) Documentation Chapter 15. Deployment strategies Factors affecting deployment User community Platform choices Administrative choices Security requirements Deployment scenarios The call center Financial services company Basic intranet Chapter 16. System/390 as a Host On-Demand server Express logon Native authentication Telnet-negotiated security Appendix A. Keyboard mappings Appendix B. Sample session configuration file Appendix C. Problem determination C.1 Enabling IPMonitor C.2 LDAP configuration C.3 Sample TLS-negotiated traces C.3.1 Successful negotiation C.3.2 Unsuccessful negotiation C.4 Additional AS/400-related Web pages C.5 IBM Screen Customizer troubleshooting C.5.1 Light-pen mode problems C.5.2 Template problems Appendix D. Special notices Appendix E. Related publications E.1 IBM Redbooks E.2 IBM Redbooks collections E.3 Other resources E.4 Referenced Web sites viii IBM WebSphere Host On-Demand: Version 5 Enhancements

11 How to get IBM Redbooks IBM Redbooks fax order form Abbreviations and acronyms Index IBM Redbooks review ix

12 x IBM WebSphere Host On-Demand: Version 5 Enhancements

13 Preface This redbook will help you install, configure, administer and use the IBM WebSphere Host On-Demand Version 5 new features and functions. Host On-Demand consists of a server and several clients that provide terminal-emulator sessions to System/390, AS/400 and ASCII host systems through a Web browser. The server can be installed on Windows NT, Windows 2000, OS/2, NetWare, AIX, various types of UNIX, OS/400, or OS/390. Host On-Demand is a product that allows customers, agents, suppliers, distributors and other business partners, as well as employees, access a company s host systems over the Internet or intranet. Many enhancements have been made in Version 5. This book focuses on these enhancements, describing all the new functions from the point of view of both the administrator and the user. It explains how these new functions work and the variety of ways in which Host On-Demand can be configured to suit differing requirements. It also discusses the various deployment strategies that may be used. The new enhancemens to the IBM Screen Customizer Version 2 product are also discussed. IBM Screen Customizer lets you convert the old standard green screen emulator interface easily and quickly into windows that include images, buttons, links, dialog boxes and all the other attributes of a modern graphical interface. The team that wrote this redbook This redbook was produced by a team of specialists from around the world working at the International Technical Support Organization, Raleigh Center. George Baker is a Senior I/T Specialist at the International Technical Support Organization, Raleigh Center. He writes and teaches IBM classes worldwide on host integration software. Before joining the ITSO in 2000, George worked for over 30 years in the field as a programmer, technical specialist, sales specialist and manager in the areas of large systems, networking and workstation software systems. Joel Canon is a Senior I/T Specialist based in Winston-Salem, North Carolina. He has worked over 15 years in software sales with IBM. Joel has a Masters in Business Administration from Vanderbilt University. He has worked Copyright IBM Corp xi

14 with a large number of customers on the installation and customization of the Host On-Demand product. Gary Griffith is a Senior Network Systems Analyst for The Boeing Company in Seattle,Washington. He has 20 years of experience in the field as a programmer and technical specialist supporting large-scale and distributed systems. His background also includes networking and PC operating systems. He co-authored Using Tivoli's ARM Response Time Agents, SG in Gerd Hempel is a technical pre-sales and I/T Specialist in Software Group, IBM Germany. He has over 28 years experience in information technology with IBM. The last three years were focused on Host Integration products. Peter Lenhard is a senior I/T specialist in the Software Group, IBM Germany. After joining IBM in 1973, he gained broad experience in SNA and telecommunications supporting automotive industry customers of IBM. From 1991 through 1995, he was the IBM technical liaison in support of communications architectures at the ITSO Center, Raleigh. Thanks to the following people for their invaluable contributions to this project: Byron Braswell John Ganci Bill Moore International Technical Support Organization, Raleigh Center Bryan Aupperle Charlotte Davis Michael Frank Rick Hardison Scott Roehrig John Ruiz Byron Williams IBM Research Triangle Park, NC xii IBM WebSphere Host On-Demand: Version 5 Enhancements

15 Comments welcome Your comments are important to us! We want our Redbooks to be as helpful as possible. Please send us your comments about this or other Redbooks in one of the following ways: Fax the evaluation form found in IBM Redbooks review on page 301 to the fax number shown on the form. Use the online evaluation form found at ibm.com/redbooks Send your comments in an Internet note to xiii

16 xiv IBM WebSphere Host On-Demand: Version 5 Enhancements

17 Chapter 1. Introduction Host On-Demand integrates the traditional world of mainframe and mini-computers with the new network-computing world of browsers, thin clients and the Internet. Written almost entirely in Java, it is primarily server based, and downloads its applets to clients, such as browsers on demand, although it can also be installed as a stand-alone client. Host On-Demand uses standard Internet-related protocols including TCP/IP, HTTP, Telnet 3270 and 5250 and SSL. Support for TN3270E, TN5250, VT52/100/220 and IBM CICS Java Gateway access provides a single interface to key host data. Because Host On-Demand is Java-based, its interface has the same look-and-feel across various types of operating environments. Host On-Demand also provides a default graphical user interface (GUI) to simplify the experience for users who are unfamiliar with a traditional emulator. Java Applet Web Browser Screen Customizer 3270 Emulation 5250 Emulation VT Emulation Database On-Demand CICS Gateway TN Server Applet Download Host On-Demand CICS IMS VM TSO AS/400 S / AIX DB2 AS/400 CICS Transaction Gateway Figure 1. Host On-Demand overview Host On-Demand allows secure connections. By using Secure Sockets Layer (SSL) Version 3.0, Host On-Demand extends host data access across intranets, extranets, and the Internet in a secure manner. Mobile workers access a secure Web site, receive authentication and establish communication with a secure enterprise host. With client and server certificate support, Host On-Demand can present a digital certificate (X.509, Version 3) to the Telnet server, such as IBM Communications Server for NT Version 6, or IBM Communication Server for OS/390 Version 2.6, for Copyright IBM Corp

18 authentication. Host On-Demand can also integrate the SSL client authentication with IBM Vault Registry. This allows you to benefit from industry-standard public key infrastructure (PKI). Users request a certificate from IBM Vault Registry, which manages, maintains and ensures certificate validity. Database On-Demand is included with Host On-Demand to provide access to DB2 information stored on AS/400 computers using a Java Database Connectivity (JDBC) driver. Database On-Demand is a Java applet that allows you to perform Structured Query Language (SQL) requests to AS/400 databases through a JDBC driver. Host On-Demand is multilingual and is available in 22 languages, including double-byte character set languages. Support for the European currency symbol, as well as keyboard and code page support for many more languages such as Arabic, Hebrew and Thai are also provided. All language versions are available on the same media, and multiple language versions can be accessed concurrently. An alternative to the traditional host-session green screen is provided by the IBM Screen Customizer default graphical user interface (GUI), which is included in the Host On-Demand clients, interpreting the host data stream that Host On-Demand sends and provides a default graphical presentation of the host screen. A separate product, IBM Screen Customizer, provides the ability to create customized GUIs for host screens. 1.1 Version 4 features The functions and features that Host On-Demand provides have been increased steadily with each new version so that it is now a very powerful terminal emulator and database-access utility, all implemented in Java and downloadable through a standard Web browser. Here is a summary of the main features through Version 4: 3270 and 5250 host printer emulation Database On-Demand for database query 3270 and OS/400 file transfer with MVS, VM, and CICS Keyboard remap Color remap Copy, cut and paste 2 IBM WebSphere Host On-Demand: Version 5 Enhancements

19 Print screen Macro record/play, with prompts and waits and a powerful editor Session security, through the Secure Sockets Layer (SSL) protocol Support for firewalls Server-based management of user configurations Usage (license) management Telnet redirection Host Access Class Library for development of network-computing applications Host Access Beans for Java for application development Translation into 20 languages, with keyboard and code page support for 20 more, including Arabic, Hebrew and Thai Comprehensive problem-determination capability Up to 26 sessions allowed per client Several clients that can be used according to circumstances Locally installed client on Windows machines The ability to use LDAP directories to store user, group and session definitions The ability to use IBM License Use Management servers for license management Service Location Protocol (SLP) for load balancing of Telnet sessions Client authentication Import/export of Host On-Demand sessions to make distribution of sessions and session attributes easier and to provide migration of Personal Communications sessions to IBM WebSphere Host On-Demand 3270 host graphics Host Access ActiveX controls, based on the Host Access Beans HLLAPI - HACL bridge so that HLLAPI applications of any kind can be used with Host On-Demand without alteration (requires installation of client code from Open Host Interface Objects (OHIO) support; this is intended to be a standard interface, based on HACL Chapter 1. Introduction 3

20 Linux support: Red Hat 1.2 Version 5 enhancements Many new functions, features and enhancements have been added to Version 5 to improve the serviceability, usability and functionality: Improved cached client Automatic installation on AIX Deployment Wizard Express logon Disable functions to end users AS/400 file transfer and Database On-Demand proxy and enhanced SSL support Native authentication Improved enhancements to keyboard remapping Customizable Service Manager port Configuration servlet Telnet-negotiated security (Telnet server support of TLS-based Telnet security) Multiple session icon Blink attribute support and color remap improvements Code page enhancements Hindi enablement Java 2 platform support Host On-Demand toolkit package ENPTUI support HLLAPI - HACL bridge updated for Version 5 so that HLLAPI applications of any kind can be used with Host On-Demand, without alteration (requires installation of client code from: Improved cached client A newly restructured cached client reduces download time both on the initial download and on upgrades. As in previous releases, the Version 5 cached 4 IBM WebSphere Host On-Demand: Version 5 Enhancements

21 client checks with the server every time it is invoked and checks to see if any cached client components on the server are newer than those in your browser's cache. The change for Version 5 is that the new code will be downloaded only when the function is required, and you will be able to continue to use your current version of the cached client while downloading the newer components. For more information regarding the cached client, refer to Chapter 4, Client changes on page Automatic installation on AIX A graphical interface is provided for installation similar to the one used by the Windows platform. In addition, the ability to automatically install IBM WebSphere Host On-Demand through an ASCII control file in silent mode is provided. For more information regarding installing on AIX, refer to 3.2, AIX on page Deployment Wizard The Deployment Wizard is a new interactive graphical tool that creates and customizes HTML pages for launching client sessions. This wizard runs only on Windows 95, 98, 2000 or Windows NT platforms. It can be installed and run directly on the server, or run from the Host On-Demand CD-ROM on one of the client platforms. You can use the wizard to specify whether the user must log in to obtain session configuration information or if it supplied in the HTML, which components should be pre-loaded, whether to use a cached, download or debug applet, and many more options. For more information regarding the Deployment Wizard, refer to in Chapter 6, Deployment Wizard on page Express logon Provides an easy host log on process by allowing a user to log on without having to enter a user ID and password. One advantage of using this function is that it reduces the time spent by a Host On-Demand administrator maintaining host user IDs and passwords. It also reduces the number of user IDs and passwords that users have to remember. To use express logon, the session must be configured for SSL and client authentication and the SSL connection must be made to one of the supported TN3270 servers. For more information regarding express logon, refer to Chapter 9, Express logon on page 167 or , Express logon on page Disabling functions Allows the administrator to enable or disable functions available within a session. These functions include send and receive files, remap keys, remap Chapter 1. Introduction 5

22 colors, and import, export, add, delete or modify a session, any function available from the menu or toolbar. Access to functions is determined by user and group membership. For more information regarding this functionality, refer to Chapter 5, Administration on page AS/400 proxy server AS/400 proxy server support allows both Database On-Demand and file transfer to use the same port through a firewall (default of 3470), so only one port needs to be opened on the firewall. Enhanced SSL support enables both file transfer and Database On-Demand to provide secure connections by encrypting the data exchanged between the host and client, and by using server authentication. For more information regarding AS/400 enhancements, refer to Chapter 12, AS/400 on page Native authentication Native authentication enables users to log on to Host On-Demand using the same password they use when logging on to Windows NT, 2000, AIX or OS/390. User authentication is performed by the operating system and not the server. If you already have users whose user IDs and passwords are defined on Host On-Demand, you can install the native platform authentication service, and choose to use either Host On-Demand server authentication or native authentication for each user. For more information regarding native authentication, refer to 5.5, Native platform authentication on page 95 or in the Host On-Demand online help Keyboard remap The keyboard remap function assigns keys, or key combinations, as shortcuts to functions or applets. For example, you could assign Ctrl+M to execute a menu command, or Alt+A to run an applet. This feature has an improved interface and improved usability. For more information about the keyboard remap function refer to 4.5, Keyboard remapping on page 60 or remapping keyboards in the Host On-Demand online help Host print enhancements Host print allows you to associate a host print session PDT (3270) or MODEL (5250) with a printer accessible to a Host On-Demand Windows client. A new interface allows the user or administrator to choose an appropriate local printer for the current environment and have the associated PDT or MODEL automatically assigned. This improves the usability of the function, reduces opportunity for error, and reduces the workload for the administrator. For more information, refer to Chapter 11, Print enhancements on page IBM WebSphere Host On-Demand: Version 5 Enhancements

23 Service Manager port The Host On-Demand Service Manager now uses a single customizable port for all user authentication and session configuration data. During the Windows NT, 2000 and the AIX graphical installation, you are prompted to set this port (the default port is 8999). The installation process on other platforms sets this port automatically to the default port. On all platforms this port can be changed after installation Configuration servlet A configuration servlet was added to allow clients to exchange user authentication and session configuration data over an HTTP(S) connection instead of using the Service Manager directly. This eliminates the need to open the Service Manager port on the firewall and provides the potential to encrypt all configuration information as it moves from the Web server to the client. For more information regarding configuring the configuration servlet, refer to Chapter 8, Configuration servlet on page Telnet-negotiated security (TLS-based) Telnet-negotiated security is a technique that allows a client to contact the 3270 Telnet server on a non-secure port and then negotiate the secure connection. The Telnet server must support TLS-based Telnet security, and support is provided only for Host On-Demand 3270 display and printer sessions. At the time this book was written, Communications Server/390 Version 2 Release 10 was the only Telnet server that supported TLS-based Telnet security. For more information regarding Telnet-negotiated security, refer to , Telnet-negotiated security on page Multiple session icon The multiple session icon is a new session icon that represents a collection of existing session definitions. The multiple session icon, when started, will automatically start all the sessions contained therein. For example, you can create a multiple session icon that contains both a 5250 emulator session and a 5250 host print session definition. When this multisession icon is started both the 5250 display and 5250 host print session will automatically be started. For more information regarding multiple session icons, refer to 5.3.2, Configuring sessions on page Blink attribute support and color remap improvements The color remap improvements allow colors to be mapped based on screen attributes rather than screen colors. For example, you can map normal, unprotected fields from red to blue, instead of mapping all red regions of the Chapter 1. Introduction 7

24 screen to blue. Support has also been added for the field blink capability of 3270, 5250 and host VT sessions. For more information regarding these functions, refer to Chapter 4, Client changes on page Session menu enhancements Session menu enhancements redefine the session menus so that they are consistent with the IBM Personal Communications Manager menu structure and more compatible with the Windows environment, specifically focusing on consistent terminology and layout. Keyboard accessibility for the menu items is enhanced by adding shortcut keys for commonly used functions. refer to also Chapter 4, Client Changes on page Code page enhancements Host On-Demand adds eleven new code pages that include the Euro currency symbol, and modifies four existing code pages to include the Euro currency symbol. refer to the enhancements in , National language support on page Hindi enablement Host On-Demand now provides Hindi support to 3270 and 5250 emulation sessions. Support includes mapping characters to the keyboard, display, file transfer and printing. Hindi support does not include messages and menus. Refer to , National language support on page 10 for additional information Java 2 platform support Java 2 compatibility is provided for Host On-Demand's Java Beans and Host Access Class Library. Currently, neither Microsoft Internet Explorer nor Netscape browsers support Java 2 Platform. In addition, License Use Management (LUM) support is not available in a Java 2 environment. Refer to , Toolkit update on page 10 or Chapter 13, Java 1.2 compatibility on page 201 for additional information ENPTUI support Support for Enhanced Non-Programmable Terminal User Interface (ENPTUI) for 5250 display sessions has been added in IBM WebSphere Host On-Demand Version 5. ENPTUI is the enhancement to the 5250 full-screen menu-driven interface that allows the implementation of options like menu and scroll bars, pop-up windows and selection fields. More information is available in 12.2, ENPTUI support on page IBM WebSphere Host On-Demand: Version 5 Enhancements

25 VT emulation enhancements Host On-Demand Version 5 upgraded the emulator to a full VT220 level of support by adding the following features: Inquiry message (Answer back message) Bell command Horizontal Tab Reverse screen mode Double-width/height and doubled width characters Host defined function key sequence VT Do to keyboard remapper In addition to the features above the following usability features were added: A history window Support for greater than 24 display lines Printer support Refer to , VT terminals on page 80, and 11.2, VT print passthrough on page 194 for details on these features Screen Customizer default GUI The default graphical user interface is enabled by a setting on the panel for a Host On-Demand session. This screen cannot be customized beyond minor changes to fonts, colors, tab key control, and other attributes that are likewise able to be customized in the administrator facility. The Host On-Demand Version 5 default GUI provides a tighter integration between base Host On-Demand and default Screen Customizer GUI by providing a common look and feel. The look and feel of the tool bar has been extended and becomes more useful. Some functions slipped from the points of menu to the tool bars, for example send file and receive file, while others are added, for example light-pen mode. Also the menu-points are extended and improve the usage of the default GUI. The status bar is now consistent with IBM Personal Communications Manager 3270 and 5250 sessions. Also refer to Appendix 13, Screen Customizer on page 43 in this guide for more information about this GUI. Chapter 1. Introduction 9

26 National language support The following code pages have been added: 1137 (Hindi 5250 only) 1153 (Latin 2 Euro) 1154 (Cyrillic Euro) 1155 (Turkey Euro) 1156 (Baltic Euro) 1157 (Estonia Euro) 1158 (Cyrillic Ukraine Euro) 1160 (Thai Euro) 1364 (Korea Euro) 1371 (Taiwan Euro) 1390 (Japan Katakana Euro) 1399 (Japan Latin Euro) The following code pages were modified to enable the Euro currency symbol: 420 (Arabic) 424 (Israel) 803 (Israel) 875 (Greece) Toolkit update The Host On-Demand toolkit is now provided on a separate CD with its own installation. The Host On-Demand toolkit CD contains the tools, samples and documentation needed by application programmers to develop Host Access applets and applications. The deliverables that were previously installed under the toolkit subdirectory of Host On-Demand are now packaged and shipped in a toolkit CD-ROM. These deliverables include: ActiveX: ActiveX Control files, ActiveX Bridge code, the JRE used by the ActiveX Bridge Beans: Java Bean samples HACL: Host Access Class Library samples In addition, the associated toolkit documentation (all languages) from the...\host Access Tookit\en\doc subdirectory has also been packaged in the toolkit CD-ROM. This includes: Host Access Beans for Java HTML reference Host Access Class Library HTML reference 10 IBM WebSphere Host On-Demand: Version 5 Enhancements

27 Open Host Interface Objects HTML reference The Host On-Demand toolkit is now packaged and installed separately. The entire toolkit is installed with no option to install a subset of the toolkit. The install program is supported only on Win32 platforms. A Windows Install Manager, modeled after the Host On-Demand Win32 install program, is used. Because the toolkit is now a separately packaged and installed item, the following changes were made: The Host On-Demand Getting Started Guide is modified to indicate that the Host On-Demand toolkit is no longer packaged on the Host On-Demand CD-ROM but is packaged on a separate toolkit CD-ROM. Overview descriptions of the toolkit deliverables are in the Host On-Demand Getting Started Guide, but the user is directed to the new toolkit installation and information document for additional details. ActiveX Controls will no longer be installed during the Host On-Demand install process. The Host Access API documentation will no longer be installed during the Host On-Demand install process. The Java Bean/HACL jars will not be installed during the Host On-Demand install process. 1.3 IBM Screen Customizer Version 2 IBM Screen Customizer Version 2 provides support for a customizable graphical user interface (GUI) for IBM WebSphere Host On-Demand or IBM Personal Communications Manager 3270 and 5250 sessions. An extensible customization capability is provided that does not require programming or modification of host applications. The benefits of the IBM Screen Customizer Version 2 are: Makes the product more extensible Improves serviceability Better integration with Host On-Demand Extends NLS enablement Improves usability and usefulness The following functions and enhancements have been added to Version 2: Global customization enhancements Chapter 1. Introduction 11

28 Customizing screens is easier with the template enhancements. You can control the look and function of many different emulator screens at once by creating templates that can be automatically applied to screens without having to modify each screen individually. Simplified screen capture process The Administrator toolbar makes the process of capturing and customizing screens quick and easy. The toolbar buttons provide quick access to the functions you use every day when working with screens. There are buttons to capture a screen, start the Studio, and work with screen IDs. Web link button improvements - Flyover support that allows you to change the text to a different color as the mouse passes over the button. Settings can be saved for each individual Web link. - Link styles (underline vs. normal). - Transparency so that background shows through and no button is visible. Light-pen support Use your mouse as a light-pen pointer when accessing host applications that require a light-pen. Light-pen fields can be displayed as check boxes or buttons, depending on the type of field. Additional language support Support has been added for the following languages: - Portuguese - Hindi - Thai AS/400 subfiles AS/400 subfiles are automatically converted into multi-column tables with button hotspots that send the appropriate commands for manipulating objects in the subfile list. Auto install for AIX Provides a graphical user interface for installing Screen Customizer on AIX. This makes it easy to select installation options and reduces possible installation errors. Screen Customizer API 12 IBM WebSphere Host On-Demand: Version 5 Enhancements

29 The Screen Customizer Custom Component Interface (SCCI) allows you to interact with graphical objects on the screen. You can set properties for graphical interface objects and in some cases the data represented by the object (for example, button caption or choice options). The Screen Customizer API is documented in the SCCI Reference included with the Host On-Demand Host Access toolkit. Screen Customizer bean Use Screen Customizer within your own applications or embedded directly into a Web page. The bean allows rapid application development with full capabilities to display customized screens. The Screen Customizer bean works with the most current Host Access Beans for Java which is documented in the Host Access Beans for Java Reference included with the Host On-Demand Host Access toolkit. Service bundler Provides an easy way to collect the information needed by IBM Service if there is a problem with Screen Customizer. Refer to Chapter 14, Screen Customizer on page 203 more information. Chapter 1. Introduction 13

30 14 IBM WebSphere Host On-Demand: Version 5 Enhancements

31 Chapter 2. Planning Planing considerations are fully described in the online Getting Started Guide, but the main requirements are summarized here. You must make decisions about: The platform on which you will install your server(s) Whether you will use download or locally installed clients, or a combination The browser that you will recommend for client workstations Whether you will use the Redirector The need for secure host sessions The use of one or more firewalls These decisions will be easier to make when you have read the rest of this book. 2.1 Packaging The Host On-Demand Multisystem platform package ships with the following CDs: AS/400 AIX and other UNIX - installp for AIX - TAR for Linux, Solaris, and HP-UX Windows, OS/2 and Novell - InstallShield for Windows 2000 and Windows NT/98/95 - ZIP for OS/2, and NetWare Host Access Toolkit A System/390 installation tape is also available as a separate item in one of the following media: tape cartridge - 4 millimeter cartridge Copyright IBM Corp

32 For up-to-date information, go to the Host On-Demand Web site at: To subscribe to the Software Support Bulletin, go to: To obtain software downloads IBM SecureWay Software Internet Service Delivery go to: This site will allow you to download files (fixes, beans and corrective service distributions) via the Web or using an FTP client. The site requires user registration and a product service key for each product that has been purchased. 2.2 Platform support Host On-Demand is multilingual and is available in 22 languages, including double-byte character set languages. Support for the European currency symbol, as well as keyboard and code page support for many more languages such as Arabic, Hebrew and Thai, is also provided. All language versions are available on the same media, and multiple language versions can be accessed concurrently Supported server operating systems A Host On-Demand server can be installed on the following operating systems: - Windows NT 4.0 with SP5 or later and Windows AIX Version V4.2.x or later - OS/2 Warp Version 4 and Warp Server for e-business Novell NetWare Version 4 and Version 5 - Sun Solaris V2.6 and V2.7 - OS/400 Version 4 Release 3 or later - HP-UX V SuSE OS/390 Version 2 Release 5 or later - Caldera V IBM WebSphere Host On-Demand: Version 5 Enhancements

33 - TurboLinux V6.0 - Unixware V7 - Windows Terminal Server Version 4 - Red Hat Linux Version 6 Release 2 or later Notes Host On-Demand Version 5 does not work with the Gnome 1.0 desktop, using the default window manager. You must upgrade to Gnome 1.2 or later and use the new default window manager, SawFish. For updates to this information, refer to the readme file Server disk space requirements These requirements are based on a typical installation and are only estimates. Sizes can vary by operating system and languages installed. Windows NT or Windows MB (English only. Add 4 to 8 MB for each additional language.) AIX (installp image) MB (English only. Add 4 to 8 MB for each additional language. Includes the additional security files.) UNIX (Solaris, HP-UX or Linux) - 84 MB (English only. Add 4 to 8 MB for each additional language.) AS/ MB OS/2 and Novell MB OS/ tracks (recommended for the initial installation plus maintenance) 2.3 Locally installed clients The locally installed client installs to a local disk. The client applet is loaded directly into the default system browser, so there is no download from a server. The most common reason to configure a local client is for users who connect remotely over slow telephone lines, where download time can be an issue and connectivity is unpredictable. You can also use the locally installed client to test host access capabilities without installing the full Host On-Demand product. Chapter 2. Planning 17

34 Host On-Demand locally installed client requires 155 MB of disk space. It can be installed as a client on the following operating systems: Windows 95, Windows 98 and Windows 2000 Windows NT 4.0 with SP3 or later 2.4 Migration from Version 3 or Version 4 Generally speaking, migration will be performed automatically when Host On-Demand Version 5 is installed. Platform-specific exceptions and considerations are discussed below Windows NT and 2000 Server For Windows NT and Windows 2000 server, the prior version should not be removed before installing Version 5. Migration is performed automatically as part of the installation process. If the previous version is removed, the migration utility will not run. Installation will then be completed as if it were a new install. If the private directory still exists it will be incorporated into the new Version 5 installation. Host On-Demand Version 5 provides a migration tool for installation. During migration the installation program will detect if an earlier version of the product is installed and a prompt will ask if this operation should continue. If the response is Yes the Host On-Demand Express Server and Service Manager started tasks will be terminated and the un-installshield will be invoked. All files relating to the installed version will be removed except for information about the user profiles or groups. After this process has completed, the administrator will be prompted with a note suggesting a re-boot at the completion of the installation of the new version. Version 5 migration will continue and the default directory structure will be provided to the installer. The installation program will also detect if a Web server is present. If one or more are detected, installation will provide prompts for making modification to the published directory. (Note: installation will continue if no Web server is found; however, this will require the publish directory to be manually defined after the Web server is installed). If the installer chooses to use the same directory structure, a message indicating the alias is in use will appear. At this point the installer can specify a new one or use the existing one. The installer will then be reminded to stop and start the Web server to pick up the modifications that have been made during the installation. The final page or completion page will allow you to register and/or view the basic configuration. 18 IBM WebSphere Host On-Demand: Version 5 Enhancements

35 When the Finish button is selected, the Host On-Demand Service Manager is restarted and the migration process is complete Considerations If you are running in a high availability environment, there are migration issues that you must take into account. If the workstation is a download or cached client, functionality will continue until the last session is closed. This means that a client at Version 4 or earlier who has an active session will continue to function. When the last active session is terminated, the user will not be allowed to initiate a new session until the client is upgraded to the latest release from the server. The existing browser session must be terminated and restarted, and the user must re-connect to the sever. The Host On-Demand client will detect a new version and will ask if the user wants to upgrade or cancel. The user will not be able to use Host On-Demand until the upgrade is complete. This is true for the users who were not active during the server upgrade as well Other operating systems For all other operating systems, migration is not necessary. All configuration information is saved; however, if you install Host On-Demand Version 5 using a server directory other than the default, you must move the private directory to the new server directory. If you have changed \hostondemand\lib\nsmprop, or changed or created \hostondemand\hod\config.properties on a platform other than Windows NT or Windows 2000, you must back up these files before installation, then restore them after installation. The files will be overwritten during the unzip or untar process on platforms other than Windows Upgrading from Version 3 If you have upgraded from Host On-Demand Version 3, you can continue to use the Version 3 user and group accounts, sessions and preferences, which are held in files in the private subdirectory of the Host On-Demand root directory. The private directory is not removed when you install the new version but you must make sure that it is in the correct place, based upon the following. The default root directory in Version 3 was \ondemand but, for Version 5, it is \hostondemand. If you have installed Version 5 in the original (Version 3) root directory, you need do nothing more. However, if you have installed Version 5 in a different root directory, you must move the private directory to the new root directory. Chapter 2. Planning 19

36 2.4.4 Upgrading from Version 2 If you upgrade from Host On-Demand Version 2, icons for the default sessions from Version 2 are migrated and their icons appear in the Host On-Demand Version 2 group's Configured Sessions window. You can use the sessions without change; however, you might want to take advantage of the new features by modifying the configurations. The Host On-Demand Version 2 group does not have any members at first but you can add them in the usual way. 2.5 Browser support Browsers change from time to time. For the most up-to-date information, refer to the readme file and to the Host On-Demand Web site: Use the following browsers to download the Host On-Demand clients from a remote Host On-Demand server or to run Host On-Demand on a locally installed client: Netscape Navigator 4.6 or 4.7.x (Windows 95/98/NT/2000, UNIX) Netscape Navigator for OS/2 Microsoft Internet Explorer 4.01 with SP1, 5.0 or 5.1 (Windows 95/98/NT/2000). JVM level must be 3165 or higher. Note IBM has recently tested IBM WebSphere Host On-Demand Version 5 with the initial release of Netscape Navigator 6, and found several incompatibilities. The current Java support in Netscape 6 is not consistent with Host On-Demand's requirements. IBM cannot provide support for Host On-Demand running on Netscape 6 on any platform. IBM will continue to work on a solution with the intent of providing Netscape 6 support for Host On-Demand whenever feasible. 2.6 Types of clients Host On-Demand Version 5 provides a variety of types of clients, emulator clients, database clients, administration clients, and utilities. Most of these are available as either a cached client or as a download client. The cached 20 IBM WebSphere Host On-Demand: Version 5 Enhancements

37 client has undergone significant revision. Refer to 4.1, Componentization on page 49 for complete details on the changes made to the cached client Administration client The administration client provides the ability to perform the following administrative functions: Manage users, groups, and sessions Configure, manage and trace the Redirector service Configure Database On-Demand Enable security View trace and message logs Disable functions to end users For more details on the administrative functions refer to Chapter 5, Administration on page 71. The administration client is available in three forms: A download client (HODAdmin.html) This is a standard download client and should not be used when the browser contains any other Host On-Demand cached client. A cached client (HODAdminCached.html) This is a new client introduced in Version 5. It must be used when the browser has installed other Host On-Demand cached clients. A cached debug client (HODAdminCachedDebug.html) This is a new client introduced in Version 5. It is intended to be used for problem-determination purposes Emulator client There are six preconfigured emulator clients: Cached client (HODCached.html) This version of the cached client provides support for all emulator types. The IBM Screen Customizer interface is disabled with this client. Cached client with problem-determination (HODCachedDebug.html) This is the problem-determination version of the cached client, HODCached.html. The IBM Screen Customizer interface is disabled with this client. Download client (HOD.html) Chapter 2. Planning 21

38 This version of the download client provides support for all emulator types. The IBM Screen Customizer interface is disabled with this client. Download client with problem-determination (HODDebug.html) This is the debug version of the download version of the client, HOD.html. The IBM Screen Customizer interface is disabled with this client. Download client with Screen Customizer Interface (HODCustom.html) This preconfigured client provides support for all emulator types and the IBM Screen Customizer interface has been enabled. Function On-Demand (HODThin.html) This client is much smaller than the other clients, because initially only the basic functions for all emulator types is loaded. Other functions, such as file transfer, keyboard remapping, macro record and playback, will be downloaded as required Database clients The database client lets you make Structured Query Language (SQL) requests to AS/400 databases through a Java database connectivity (JDBC) driver. You have the ability to save the results of your requests and use them in other applications, such as a spreadsheet. The database client now comes in three versions: Database On-Demand (HODDatabase.html) Database On-Demand client cached (HODDatabaseCached.html) This is a new client introduced to allow coexistence with other clients cached in the browser. Database On-Demand (HODDatabaseCachedDebug.html) This is a new client introduced to allow coexistence with other clients cached in the browser while providing problem-determination capabilities Utilities If you enable the Allow users to create accounts option on the Host On-Demand server, users can load a special applet that will allow them to create accounts for themselves or other users. The purpose of this facility is to remove some of the load from the main administrator by, for example, having department managers or regional sites create accounts for their users. The default HTML file will insert users into the default Host On-Demand group when an account is created. This file can be used as a 22 IBM WebSphere Host On-Demand: Version 5 Enhancements

39 template to create customized applets that will allow user to be inserted into specific groups or combinations. New user client (NewUser.html) This utility allows users to create new accounts on the Host On-Demand server. It requires that the Host On-Demand administrator enable user account creation under the Users/Groups in the Host On-Demand administration window. If the option is enabled you must provide an HTML file through which the accounts can be created. A sample file, NewUser.html, is located in the publish directory (the default is /hostondemand/host On-Demand). You can use the sample file or create customized versions New user client cached (NewUserCached.html) This utility is designed for use in a cached client environment. It is functionally identical to the new user client but is cached on the receiving workstation. New user client with problem-determination (NewUserCachedDebug.html) This utility has the same function as NewUserCached.html, plus it adds problem-determination capability. The other major utility is the remove cache client utility, HODRemove.html. In Host On-Demand Version 4 this utility was used to remove the cached from the Netscape browser after Host On-Demand stopped using Netscape s smartupdate function to manage the persistently cached applications. Users of Internet Explorer continued to use the facilities of Internet Explorer to remove the cached client. With the introduction of Host On-Demand Version 5 and componentization see 4.1, Componentization on page 49, it became necessary to for Host On-Demand to assume management of the cached clients directly. This required all browser to use the HODRemove.html tool to clear cache Download clients A download client is one that is downloaded from the server each time it is used. This type of client performs best when download time is not a factor and connectivity is predictable, such as through a LAN. The advantage of the download client is that, with the download client, is the browser does not need to be stopped and then restarted. Chapter 2. Planning 23

40 2.6.6 Cached client The Host On-Demand cached client has all the functionality of a download client. With the download client the code is downloaded from the server on every invocation of the client. With the cached client the code is stored locally on the client machine only the first time it is referenced. All subsequent invocations will retrieve the code from the local machine instead of the server. In Host On-Demand Version 5 all clients consist of a collection of smaller JAR/CAB files called components to allow for the administrator to create smaller clients, and to provide the ability to update individual components rather than the entire client. This has been called componentization and is more fully documented in 4.1, Componentization on page 49. The componentization of the cached client now allows for a change from Version 4 in the update process of the cached client. In Version 4 an entire client had to be updated even if only one component had changed. This update, depending upon which client it was, could be up to 4 MB in size. Now that the clients are broken into components, only the specific component will be updated, and then only after that component has been referenced. Under most circumstances you can continue to use the current level of the cached client to connect to a host while the newer components are downloading. Refer to 4.2, Smart caching on page 53 for a complete description of this process. Note Once any of the cached clients has been installed you may not subsequently run any download client with that browser without first removing the cached clients using the HODRemove client. See 2.6.4, Utilities on page 22. Running a download client with a cached client loaded will result in inaccurate and unpredictable results Locally installed client As the name of the client implies, it is installed on the client s own disk from the installation CD, see 2.3, Locally installed clients on page 17. This option is available only for Windows 95, Windows 98, Windows NT, and Windows 2000 environments. Refer to 3.1.3, Local installation on page 33 for installation of the local client. 24 IBM WebSphere Host On-Demand: Version 5 Enhancements

41 2.7 Types of users Users may be placed into one of two categories: registered users, those that have user IDs on the Host On-Demand server, or anonymous users, those that do not have user IDs Registered users Registered users enjoy the benefit of obtaining and storing their session definitions and preferences by the Host On-Demand server. Storage of these session definitions and preferences provides for central management and control, allowing for central backup and recovery, and the ability of a user to use any browser on any workstation to log into the Host On-Demand server, obtain the session preferences and establish a host session. The user s account information often consists only of the ID and the sessions for which he is authorized. If a user changes a session configuration or an option within a session, such as a file transfer option, a key or color mapping, or a macro, this data is saved in the Host On-Demand configuration server database Anonymous users An anonymous user is a user who does not log in to the Host On-Demand configuration server to maintain preferences on the Host On-Demand server. The anonymous user is either not allowed to change preferences at all, or is required to save preferences on the local workstation. Saving of preferences on the local workstation removes from the Host On-Demand configuration server the responsibility of managing the user preferences and places the responsibility on the user. 2.8 Security Host On-Demand is primarily a downloaded application that obtains the session configuration information from the Web server. This configuration information consists of an IP address and port to access the host system. If you are using a registered user model you must also have a user ID and optionally a password that will be used to obtain the configuration information from the server. If you are using an anonymous user model, this information is provided as part of the HTML download process. Finally, host systems also require a user ID and password to log on. Unless your Web server is configured for SSL (HTTPS), the login and the transfer of the HTML data is not encrypted, and could be read by a third Chapter 2. Planning 25

42 party. If your users are accessing Host On-Demand and host data from within your intranet, this default security setup might be enough. If you have users on the Internet accessing Host On-Demand and data on your intranet, you may want additional security. You can configure your Web server to use HTTPS so that the data sent to your browser is encrypted. See your Web server documentation for more information about configuring for HTTPS. Once the client is loaded in a browser, it communicates directly with the host. The configuration information the Service Manager sends to the client regarding the sessions, such as IP address, port number, and user preferences, is not encrypted, unless you have implemented the configuration servlet and utilize HTTPS. If the Telnet server supports SSL, the clients can be configured to use SSL also. See your Telnet server's documentation for more information about configuring SSL on the Telnet server, and see security in the Host On-Demand online help for more information about configuring a client to connect to a secure Telnet server. Using Secure Sockets Layer (SSL) with Host On-Demand extends secure host data access across intranets, extranets, and the Internet. Mobile workers can access a secure Web site, receive authentication and establish communication with a secure enterprise host. With client and server certificate support, Host On-Demand can present a digital certificate (X.509, Version 3) to the Telnet server, such as IBM Communications Server for Windows NT Version 6, Communications Server for AIX Version 6 or IBM Communications Server for OS/390 Version 2.6, or later, for authentication. Host On-Demand can also integrate the SSL client authentication with IBM Vault Registry, providing you with the benefit of using industry-standard public key infrastructure (PKI) methods. If your Telnet server does not support SSL, and you are running Host On-Demand on Windows NT, Windows 2000 or AIX, you can configure the Host On-Demand Redirector to provide SSL support. The Redirector acts as a transparent proxy between the client and the Telnet server by using port remapping. It can encrypt data between the client and itself, between itself and the host, or both. Refer to the online documentation for instructions on how to configure the Redirector. 26 IBM WebSphere Host On-Demand: Version 5 Enhancements

43 2.8.1 Configuration servlet If you want session configuration information to be encrypted, you can configure sessions to use the configuration servlet over HTTPS. For more information refer to Chapter 8, Configuration servlet on page TLS-based Telnet security Server authentication If you have a supporting Telnet server you can negotiate SSL sessions for your Host On-Demand 3270 display and printer sessions. Using TLS-based Telnet negotiation the client negotiates the secure Telnet session over the same port used for non-secure sessions. Refer to , Telnet-negotiated security on page 255 for a complete discussion. Encrypting the data exchange between the client and the server does not guarantee the client is communicating with the correct server. To help avoid this danger, you can enable server authentication. Server authentication is a process where the client validates that it is communicating with the correct server before the session may be established. When implementing server authentication, the client must trust the server's certificate before the session will be initiated Client authentication The server may also want to restrict access only to clients that the server trusts. The process of client authentication has the Telnet server requesting a certificate from the client to verify that the client is who it claims to be, and that it is allowed access to the server. Not all servers support client authentication, including the Host On-Demand Redirector. To configure client authentication, you must obtain certificates for clients, send the certificates to the clients, and configure the clients to use client authentication Express logon You can provide users with an easy host logon process by allowing a user to log on utilizing a digital certificate instead of a user ID and password. Using this function reduces the time spent by an administrator maintaining host user IDs and passwords. To use express logon, the session must be configured for SSL and client authentication. Refer to Chapter 9, Express logon on page 167 for further details. Chapter 2. Planning 27

44 2.8.6 Native authentication With native authentication, when a user logs on to Host On-Demand the authentication is done by the operating system on which the Host On-Demand server is installed: Windows NT, AIX, or OS/390. Refer to Chapter 7, Native authentication on page 139 for further details. 2.9 Redirector The Redirector acts as a transparent Telnet proxy that uses port remapping to connect the Host On-Demand server to other Telnet servers. Each defined server can configure a set of local port numbers. Instead of connecting directly to the target Telnet server, a client connects to the Host On-Demand server and port number. The Redirector maps the local port number to the host port number of the target and makes a connection. The Redirector is also capable of supporting SSL security when running on Windows NT and AIX. SSL connections are available between the client and the Redirector, between the Redirector and the Telnet server, and between Redirectors in a cascaded environment. A cascaded environment is one where two or more Redirectors are connected in series. Host On-Demand Client Host On-Demand Server Telnet Server SSL/ non-ssl SSL/ non-ssl Pass-through Redirector Figure 2. Host On-Demand Redirector configuration The Redirector sets security for each local port. Security choices are: Pass-through: data between the client and the host is not altered Client side: encrypts data between the client and the Redirector Host side: encrypts data between the Redirector and the host 28 IBM WebSphere Host On-Demand: Version 5 Enhancements

45 Both: encrypts data between the client and the Redirector and the Redirector and the host. The only change for Version 5 was to modify the Redirector to use the Java Native Interface (JNI) instead of the Native Method Interface (NMI) that previous versions used. While NMI is still supported by Sun's JVMs (including Java 2 SDK, otherwise known as JDK 1.2), NMI is no longer part of the Java Platform standard. Sun recommends migrating programs from NMI to JNI, and states that NMI will not be supported in the future. Chapter 2. Planning 29

46 30 IBM WebSphere Host On-Demand: Version 5 Enhancements

47 Chapter 3. Host On-Demand installation Complete instructions for installing Host On-Demand are given in the online Planning and Installation Guide. This chapter focuses on the installation changes between Host On-Demand Version 4 and Version Windows platforms Minor modifications to the Windows automated graphical installation were made to accommodate the Deployment Wizard. In addition Host On-Demand Version 5 added support for a silent mode installation Automated InstallShield The Windows InstallShield is shown in Figure 3. Notice that the last option, Run Deployment Wizard, is new in Version 5. Figure 3. Host On-Demand Version 5 Windows installation welcome window At the end of product installation you are prompted to specify the port to be used by the Service Manager. The default Service Manager port is 8999, and it is usually a safe port to select. Check your server documentation to see if this port is being used. If it is in use, you can change the port during installation, or you may change it later. For more information about changing Copyright IBM Corp

48 the Service Manager port, see 5.7, Changing the Service Manager s port on page 100. The last phase of the automated installation is the installation of the Host On-Demand configuration servlet support if the installation process detects a supported Web server or Web application server. The documentation shipped states that it will detect the IBM WebSphere Application Server, Lotus Domino Go Web Server or IBM Domino Go Web Server. In our experience the installation did not automatically install the servlet when the IBM WebSphere Application Server was installed. We did not test the other prerequisites. If you have a supported environment and the installation does not automatically perform this setup, then you will have to manually install the Host On-Demand configuration servlet. Refer to the instructions for your Web server or Web application server for instructions on how to do this, or refer to 8.1, Configuring WebSphere Application Server on page 149 for a sample of how to do this for the IBM WebSphere Application server. Installing Host On-Demand Version 5 on Windows 2000 creates no special issues, and installation is the same as for Windows NT Silent mode installation A new silent mode installation is now supported that installs Host On-Demand without displaying any windows or asking for input. All of the input required during an installation is obtained from a text file called a response file. The response file is created by recording an installation. Use the following command to record a response file: setup.exe -r -f1d:\temp\server1.iss To install Host On-Demand in silent mode using the file captured above, use the following command: setup.exe -s -f1d:\temp\server1.iss -f2d:\temp\server1.log A complete list of command line options is in the Getting Started guide. Notes When you install in silent mode, there is no indication that the installation is in progress or that it has completed. A local client cannot be installed silently. 32 IBM WebSphere Host On-Demand: Version 5 Enhancements

49 3.1.3 Local installation It is important to note that InstallShield provides only for the installation of the server, not for a locally installed client. Therefore, to do a local client install you must run the installation from a command prompt using the following command: d:\win32\setup.exe lc where d: is the drive letter of the CD-ROM. 3.2 AIX Host On-Demand Version 5 now supports an automated graphical interface for installation on the AIX platform. To install Host On-Demand on AIX, the following are required: AIX Web server JDK Automated installation The automated installation operates very similarly to the InstallShield provided for the Windows environment. It verifies the presence and version of required products before installation occurs. If a prerequisite is missing the action taken by the Install Manager will depend on the policy setting in the control file. To install the Host On-Demand server on an AIX workstation using the graphical interface, follow the steps below: 1. Mount the CD-ROM drive and insert the CD. 2. Start the installation program by changing to the root directory of the CD, type setupaix.sh and press Enter. 3. Click Install Product. 4. Follow the directions in the installation windows: - The default server directory, determined by the installation program, is /usr/opt/hostondemand. The server directory contains files used only by the server and must not be available to client workstations. - The default publish directory, determined by the installation program, is /usr/opt/hostondemand/hod. The publish directory contains files that must be available to client users who access the server through a browser. Chapter 3. Host On-Demand installation 33

50 - The default Service Manager port is 8999, and it is usually a safe port to select. Check your server documentation to see if this port is being used. If it is in use, you can change the port during the install or later. For more information about changing the Service Manager port, see Changing the Service Manger's configuration port in the online help. - If the installation program detects IBM WebSphere Application Server, Lotus Domino Go Web Server, or IBM Domino Go Web Server installed, you are asked if you want to use the configuration servlet to connect to the configuration server for client configuration information. If you are running Host On-Demand through a firewall, this eliminates the need to open an extra port for the configuration server. Selecting Yes automatically configures the clients to access the configuration server through the configuration servlet. Selecting No configures the clients to access the configuration server directly on port 8999, which was the default configuration for Host On-Demand Version 4. See installing the configuration servlet in this guide for more information. 5. If you have not already done so, read the readme file available in the last window. Click Finish to end the installation. 6. If a message tells you that your Web server was not recognized or was not configured, configure it. If you install a Web server later or your Web server was not recognized by the Install Manager, you must publish the Publish directory to the Web. Refer to the Web server documentation for information on how to publish the directory. 7. Restart the Web server. Note: If you are using WebSphere Application Server with your Web server, you must stop and restart it. 8. Load HODMain.html, located in the /usr/opt/hostondemand/hod directory, into your browser. This page contains links to all the Host On-Demand clients, the readme file, and basic configuration steps for configuring the Host On-Demand server Silent mode installation The silent installation installs Host On-Demand without displaying any windows or asking for input. All of the input required during an installation is obtained from a text file called a response file. The response file is created by recording an installation. When you install in silent mode, there is no indication that installation is in progress or that it is complete. 34 IBM WebSphere Host On-Demand: Version 5 Enhancements

51 Below are sample command lines that will install Host On-Demand on an AIX workstation in silent mode. The silent mode installation installs Host On-Demand in the /usr/opt directory, creates a directory on the server named hostondemand, and defines another directory, HOD, as the publish directory. The result is /usr/opt/hostondemand/hod. The examples assume that you mounted the CD-ROM drive as /cdrom. All commands below must be specified on a single command line. To install in silent mode using the install.script from the CD: /cdrom/instmgr/installaix.sh -p /cdrom/instmgr/aix/install.script To install in silent mode using the install.script from the CD, and record a log file: /cdrom/instmgr/installaix.sh -p /cdrom/instmgr/aix/install.script /tmp/install.log To record a response file: /cdrom/instmgr/installaix.sh -r /tmp/install.script To play back the response: /cdrom/instmgr/installaix.sh -p /tmp/install.script The target system's configuration must be the same as that of the source system (the system on which the response file was created). For example, if the source system has a previous installation of Host On-Demand Version 4, the target system must also have a previous installation of Host On-Demand Version 4. If the source system installed Host On-Demand to a /usr/opt/hostondemand directory, the target system must also have a /usr/opt/hostondemand directory. Since many servers will allow multiple Web servers to reside on the same machine, the source and target systems must have the same number of Web servers, although they do not need to be the same types. 3.3 HP-UX, Linux, and Sun Solaris To install Host On-Demand on Solaris, the following are required: Solaris Web server JDK V1.1.8 To install Host On-Demand on HP-UXX, the following are required: HP Web server JDK V1.1.8 Chapter 3. Host On-Demand installation 35

52 To install Host On-Demand on Linux, the following are required: Linux Web Server JDK V1.1.8 There is no automated GUI controlled installation provided for Host On-Demand for these platforms. The code for these platforms is supplied in the form of two TAR files; when you unpack them, the complete directory structure needed is created. If you have previously installed Host On-Demand and have changed NSMprop or changed or created config.properties, you must back up these files before installation, then restore them after installation. The files are overwritten during the untar process. You must also start the Service Manager. Sample startup scripts are provided in the hostondemand/lib/samples directory. You may have to alter this to suit your environment. If you are migrating from a previous version of Host On-Demand and want to preserve your user configurations and sessions, you must run a migration utility; this is also provided in the hostondemand/lib/samples directory. Note Host On-Demand Version 5 does not work with the Gnome 1.0 desktop, using the default window manager, Enlightenment. You must upgrade to Gnome 1.2 or later and use the new default window manager, SawFish. Obtain the latest JDK for UNIX from one of the following sites: ftp://ftp.hursley.ibm.com/pub/java 3.4 AS/400 The package provided includes an AS/400 installation CD-ROM that contains a licensed program and a utility to manage the Service Manager. The installation process is straightforward and well documented. The English version is always installed, but you can install other languages by specifying an option. The AS/400 has the following requirements. Hardware: MB memory or higher Refer to 36 IBM WebSphere Host On-Demand: Version 5 Enhancements

53 This is the AS/400 Performance Capabilities Reference for additional information about the impact of additional memory and Java performance MB DASD This includes the Host On-Demand server base code and all national language options Software: - OS/400 V4R3 or higher Recent cumulative service is recommended. See also: AS/400 Fixes, Downloads and Updates web page: - Any of the following AS/400 HTTP servers will work: 5769DG1, 5769NCE, 5769NC1, or 5769LNT - The JAVA Developer Kit: 5769JV1 - The AS/400 Java Toolbox: 5769JC1 - The QShell interpreter, 5769SS1 Option 30, is recommended - AS/400 TCP/IP Connectivity Utilities, 5769TC1, installed and configured The result of the installation can be found at /QIBM/ProdData/hostondemand. The directory /QIBM/ProData/hostondemand/HOD contains the HTML documents and other files that need to be published (made available to clients on the network) Configuring the Web server There are two ways to configure the AS/400 Web server: Using the Web browser Using a 5250 command line The Planning and Installation Guide describes the second method, so we will describe how to use the Web browser interface to configure the IBM HTTP Server for V4R4. The user interface for V4R3 is slightly different, but the concepts are the same. The Web browser must be capable of: Frames Chapter 3. Host On-Demand installation 37

54 Running JavaScript The steps to configure a Web server for Host On-Demand are: Select the configuration to configure. Enable HTTP GET and POST operations. Publish the directory in which the Host On-Demand HTML documents reside. Restart the server instance so that the changes take effect. To configure the HTTP Server, connect to where mysystem is the TCP/IP name or address for the AS/400. This brings up the AS/400 Tasks window, as shown in Figure 4. Click IBM HTTP Server for AS/400. Figure 4. AS/400 Tasks window 38 IBM WebSphere Host On-Demand: Version 5 Enhancements

55 The HTTP Server configuration window is shown in Figure 5. Click Configuration and Administration. Figure 5. HTTP Server Main window Select configuration To select the configuration to configure, click Configurations in the Configuration and Administration window; the result is shown in Figure 6. Select the configuration to configure; the default is called CONFIG. Chapter 3. Host On-Demand installation 39

56 Figure 6. Configuration and Administration window Enable HTTP Get and Post The next step is to make sure that the server will allow HTTP Get and Post methods, which browsers use to retrieve Web pages and Java applets from the Web server. To enable Get and Post methods, click Request Processing and then Methods in the left-hand frame. This brings up the window shown in Figure 7. Make sure to check the boxes for Get and Post, then click Apply at the bottom of the frame. 40 IBM WebSphere Host On-Demand: Version 5 Enhancements

57 Figure 7. Configuring GET and POST methods Publish the Host On-Demand directory Next, you must publish the documents in the Host On-Demand directory by clicking Request Processing and then Request routing in the left-hand frame. The result is shown in Figure 8. Chapter 3. Host On-Demand installation 41

58 Figure 8. Configuring AS/400 Pass statements The current routing entries are listed in the table; you must create a new entry to publish the Host On-Demand pages. To create a new entry: Specify where the entry should be added by selecting an index number from the pull-down list, then click the appropriate button to specify whether the new entry should be inserted before or after it. Select Pass from the list of actions. In the field labeled URL template, enter /hod/* In the field labeled Replacement file path, enter /QIBM/ProdData/hostondemand/HOD/* Click Apply at the bottom of the window. 42 IBM WebSphere Host On-Demand: Version 5 Enhancements

59 The result of this action is that the Web server will replace /hod in the URL with /QIBM/ProdData/hostondemand/HOD; for example, the URL would result in the HTTP Server s looking for the file HODMain.html in the directory /QIBM/ProdData/hostondemand/HOD on the AS/400 named mysystem. The required Pass statement is shown in Figure 9. Figure 9. AS/400 Pass (Routing) statement The order of the entries is important. For instance, if an earlier entry specified /* to be /mydirectory, the URL would result in the HTTP server s looking for the file HODMain.html in /mydirectory/hod. To get the desired behavior, the statement that defined /hod/* needs to be before the statement that defined /*. Chapter 3. Host On-Demand installation 43

60 Restarting the server instance To have the changes take effect, the appropriate instance of the Web server needs to be stopped and restarted. The server is capable of running multiple instances concurrently, each listening on a separate port. The server configuration is handled by an instance listening on port 2001 (remember that you specified the URL as but the default instance listens on port 80 and is used in most cases. We will use the default instance in this example. 1. In the left-hand frame, click Server Instance -> Work with server instances. The result is shown in Figure Select the instance to work with, in this case DEFAULT. 3. Click Restart to stop and restart the instance. Figure 10. Stopping and restarting the AS/400 HTTP server instance 44 IBM WebSphere Host On-Demand: Version 5 Enhancements

61 3.4.2 Uninstalling Host On-Demand The following instructions are to be used if you would wish to completely uninstall Host On-Demand. 1. Sign on to the AS/400 with a security officer user profile (like QSECOFR). 2. Type the following command to shut down the Service Manager: ENDHODSV 3. Type the following command to delete the licensed product (this process may take a few minutes): DLTLICPGM LICPGM(5648D70) 4. Some of the /QIBM/ProdData/ hostondemand/private directory objects will not removed because they may contain user data. 5. The QUSRSYS/QHODCFGD *DTAARA object will also not be removed by the uninstall process Installing the AS/400 Toolbox for Java The AS/400 Toolbox for Java is a set of Java classes that enable you to write client/server applications and applets that work with data residing on your AS/400. You can also run such applications on the AS/400 Java Virtual Machine (JVM). The Toolbox uses AS/400 servers as access points to the system. Each server runs as a separate job on the AS/400, and each job sends and receives data streams on a socket connection. The access classes provide low-level access to the following AS/400 resources: Databases via a JDBC driver or record-level access Integrated File System Programs Commands Data queues Print Digital certificates Jobs Message queues Users and groups User spaces Graphical programming interfaces are available for: Chapter 3. Host On-Demand installation 45

62 Databases (both JDBC and record-level access) Command call Data queues Integrated File system Jobs Message queues Print Program call Users and groups The following files are located on the Toolbox CD (not the AS/400 CD): jt400_all.zip contains jt400.zip, jt400.jar, utilities files, and help and message files jt400_doc_en.zip contains the Programmer's Guide in English jt400_doc_ja.zip contains the Programmer's Guide in Japanese jt400_doc_ko.zip contains the Programmer's Guide in Korean jt400_doc_zh.zip contains the Programmer's Guide in Simplified Chinese (PRC) jt400_doc_es.zip contains the Programmer's Guide in Spanish jt400_doc_zh_tw.zip contains the Programmer's Guide in Traditional Chinese To install the AS/400 Toolbox for Java on your workstation, unzip the appropriate files. For example, if you want to install the code and the English version of the Programmer s Guide, unzip jt400_all.zip and jt400_doc_en.zip. Note: You must use a utility that supports long filenames. For additional information on the Toolbox refer to: OS/2 and NetWare The following are required to install Host On-Demand on an OS/2 server: Hard disk configured for HPFS OS/2 Web server, such as Lotus Domino Go Web Server for OS/2 OS/2 Java Development Kit V1.1.8 or later. You can obtain the latest JVM level from one of the following sites: 46 IBM WebSphere Host On-Demand: Version 5 Enhancements

63 ftp://ftp.hursley.ibm.com/pub/java/ The following are required to install Host On-Demand on a Novell server: Novell NetWare 4.x Novell Web Server Novell Java Development Kit V1.1.8 or later. To obtain the Novell JDK, go to The JDK must be configured for long file name support. The code for these platforms is supplied in the form of two ZIP files; when you unpack them, they create the complete directory structure that is needed. You must also start the Service Manager. For OS/2 and NetWare, a utility is provided in the hostondemand/lib/samples directory; you may have to alter this to suit your environment. If you are migrating from previous version of Host On-Demand and want to preserve your user configurations and sessions, you must run a migration utility; this is also provided in the hostondemand/lib/samples directory. 3.6 System/390 For instructions about installing Host On-Demand on OS/390, refer to the program directory supplied with the OS/390 Program Product. A current program directory is maintained on the IBM Internet site and is found on the following page: Chapter 3. Host On-Demand installation 47

64 48 IBM WebSphere Host On-Demand: Version 5 Enhancements

65 Chapter 4. Client changes This chapter discusses the dramatic changes that the IBM WebSphere Host On-Demand Version 5 client has undergone. 4.1 Componentization The Host On-Demand cached client has been identified as the overwhelmingly preferred Host On-Demand client. In Host On-Demand Version 4, the cached client needed to include all the class files that could possibly be used by all four emulator types and all functional components, such as Macro recording and playback, ColorRemap, and all possible code pages. This produced a very large archive file of class files, many of which would probably never be used. Downloading these files, although done only when the files change, creates a response time problem for users on slower speed lines as well as a network utilization problem. The cleanest way to resolve these concerns was to break each function into its own archive file, then a smaller client could be built that contained only the functions required by the user. This technique is referred to as componentization. Table 1 on page 50 provides a breakdown of JAR /CAB files that are sent to the workstation for a cached client installation. In this table, the base install is represented by the first five JAR files (CAB files if using Internet Explorer). These files are common across all client emulators and represent the minimum cache install available. No functional client has been installed at this point. The lower portion of Table 1 includes files that are required for specific emulation requirements such as 3270 display. By selecting a specific column, such as 3270 display, a list of required files and sizes may be obtained. The administrator can calculate the approximate size of the cached client and estimate installation time for a new installation or code updates. Copyright IBM Corp

66 Table 1. Required class files by client Class File Name Common File Size 3270 Display 5250 Display 3287 Printer 5250 Printer VT100 / 220 Display CICS Gateway ha_en.jar 133 KB X X X X X X habasen.jar 391 KB X X X X X X hacp.jar 32 KB X X X X X X hodbasen.jar 315 KB X X X X X X hodimg.jar 67 KB X X X X X X ha3270n.jar 48 KB hafntap.jar 89 KB X X hafntib.jar 103 KB X X ha5250n.jar 60 KB haprintn.jar 142 KB X X X havtn.jar 47 KB hacicsn.jar 80 KB ha3270n.jar ha3270pn.jar 48 KB 60 KB ha5250n.jar ha5250pn.jar 60 KB 16 KB Note: These names and their sizes are valid for the initial release of Host On-Demand Version 5 Toolkit and will change in future releases. 50 IBM WebSphere Host On-Demand: Version 5 Enhancements

67 Table 2 shows additional JAR /CAB files that are required for specific customization or functionality issues. These files may be cached on the initial installation of the client, or they may be downloaded only when required. Table 2. Shared class files by function Function File name Size Session Configuration hodcfgn.jar 74 KB Keyboard cfg. hakeympn.jar 24 KB Color cfg. hacolorn.jar 42 KB Keypad cfg hakeypdn.jar 9 KB Macro hamacrtn.jar hamacum.jar hodmacn.jar 153 KB 197 KB 9 KB Applett hodappln.jar 6 KB Security hassln.jar hodssln.jar 69 KB 45 KB SLP haslpn.jar 34 KB TLS Secure Socket Layer Support SSL Client Auth. Support hamacrtn.jar hamacuin.jar hassln.jar hacltaun.jar hassln.jar hodssln.jar 197 KB 315 KB 69 KB 505 KB 69 KB 45 KB Show Certs hacltaun.jar 505 KB Screen Customizer sccbase.jar 769 KB HLLAPI hodhlln.jar 13 KB Chapter 4. Client changes 51

68 Vector Graphics hahostgn.jar 144 KB Upload / Download hamacrtn.jar haxfern.jar hodcfgn.jar ha3270xn.jar ha5250xn.jar 153 KB 124 KB 74 KB 16 KB 1061 KB Note: These names and their sizes are valid for the initial release of Host On-Demand Version 5 Toolkit and will change in future releases. Take the keyboard remap function as an example. Keyboard remapping is supported by the hakeympn.jar file. Though relatively small in size, 24 KB, it would normally be sent to each client on the initial deployment of the client. The alternative would be to deploy the file only upon demand, when the user requests a keyboard remapping. This reduces the size of the client at its initial deployment. Careful consideration should be made prior to deployment. For example, if the deployment is a cached client and requires keyboard remap and host graphics capability, deployment could be accomplished in several ways: After the workstation has been loaded with the base 3270 install, the user would then attempt to modify the keyboard. A notification will alert the user of a pending install. At the completion of the install, all instances of the browser will be required to be stopped and restarted to complete the process. This same process will occur if the user attempts to install the host graphics files as well. Starting and stopping the browser can become very time consuming for the user. Another approach would be to include the commonly required functions that a majority of the users require, such as keyboard remap. With additional work, a central HTML page could be created with several different configurations, one with the minimum requirements and several with additional features added for the initial install. This option allows flexibility for different organizations requiring different configurations without custom tailoring for specific groups. Additional information may be obtained about building custom Java programs using Host Access Beans by referring to the \Host Access Toolkit/en/doc/beans/TJB00M15.html file. When building Java applets for use with Host Access Class Library refer to \Host Access Toolkit/en/doc/hacl/DWYL0M15.html file. These pages include a cross reference of release names with associated debug names of the JAR 52 IBM WebSphere Host On-Demand: Version 5 Enhancements

69 files and their functions. It also includes dependencies of each function and if support is included in the habeans.jar file. 4.2 Smart caching Through the use of componentization, Host On-Demand was able to implement smart caching. This is the ability to cache and upgrade individual components of the client, even components that were not included in the initial loading of the client. A side benefit is the ability to create a smaller client footprint for network distribution that includes only basic functionality for downloading to the workstation, and incrementally adding only those functions that the user actually uses rather than all the functions that the user may use. In Table 1 on page 50 and Table 2 on page 51, you can see the basic components that are required to have a functional Host On-Demand client. The remainder of the associated JAR/CAB files are downloaded and maintained in permanent cache only when the user requests a function requiring that function, for example file transfer. This configuration or packaging of required components is accomplished with the use of the Deployment Wizard. Refer to Chapter 6, Deployment Wizard on page 105, for details. Several independent configurations can be created to satisfy specific client requirements within a large diverse environment. For example, several organizations require keyboard remapping and file transfer capabilities. Instead of shipping the necessary JAR file to everyone, a specific HTML page is created for their unique requirements reducing the installation time and network contention. Other advantages include controlling specific configuration of the clients capabilities. This may be necessary if the workstation is a shared device or security may be an issue. 4.3 Color remapping Each host screen is made up of fields with attributes and elements. Elements are simply a way to group fields that share the same attributes. When you remap a color, all the fields that share those same attributes throughout your host applications will also remap to the new color. If you are not familiar with field elements and attributes, you may be surprised to see that other fields throughout your host applications will be remapped to the same color. In addition you may find other fields that were the original color will not be changed. These fields do not contain the same attributes so they are different elements. Chapter 4. Client changes 53

70 4.3.1 V3270 and 5250 elements Table 3 below shows 3270 and 5250 elements that may be changed. Table and 5250 attributes to color map Base attributes Extended attributes Field color attributes Normal, unprotected Blue Green Intensified, unprotected Green White Normal, protected Pink Red Intensified, protected Red Turquoise Turquoise White Yellow Default intensified Pink Blue Yellow Status indicators VT elements The attributes for VT systems are different from that of 3270 or 5250 systems. The base attributes include formatting attributes, such as reverse, underline, and bold, when the session is in base color mode. The extended attributes define the color selections of the ASCII machine mode. Table 4 below shows 3270 and5250 elements that may be changed. Table 4. Map VT and OIA colors VT/ , 5250 and VT OIA Base Color ANSI Attributes Status Indicators Normal Blue Information Indicators Bold Green Attention Indicators History Normal Pink Error Indicators History Bold Red OIA Background Turquoise White Yellow 54 IBM WebSphere Host On-Demand: Version 5 Enhancements

71 4.3.3 Operator information area elements The OIA color refers to the operator information area (OIA) on the bottom row of the host session window; see Figure 18 on page 66. There are several status indicators that may appear in this area. These colors may be modified for each OIA attribute but are the same for each session type. The OIA area cannot be modified by using the mouse pointer and selecting an area. It requires the modification to be accomplished by utilizing the Advanced tab feature in color remapping. Select OIA Color category followed by the specific element to be modified. Colors can be selected on the color bar and all status changes will be effective immediately except for the error status. If the session is currently in an error state, a refresh of the screen will invoke the current modifications. Status indicators (readiness, system connection, shift and modes, and insert mode) inform you of the current terminal status. Information indicators (system lock and wait, which is the clock symbol) appear infrequently and do not require any particular action from you. Attention indicators (machine check, communication check, and program check) indicate unpredictable situations that occur from time to time in response to operator or system actions. Error indicators (what?, wrong place, too much data, numeric data only, what number?, minus function, operator not authorized, minus symbol, and rejected message) indicate conditions that the system regards as erroneous and occur whenever a given action has been made in a given circumstance. Refer to Table 5 on page 67 for a description of the fields of the operator information area Modifying screen colors There are two ways in which to access the color mapping facility for Host On-Demand. In the selection menu click File -> Preferences -> Color. Another route is to select the Setup display color icon from the tool bar. The first configuration screen that is presented allows modification to the basic color function such as background or foreground. By selecting the Advanced button, the category/elements are displayed. This allows modification to the base attributes, extended background and operator information area color as shown in Figure 11 on page 56. Chapter 4. Client changes 55

72 Figure 11. Color remap panels Note The color bars are not sliders. You must position the mouse on the appropriate color then select it, and the indicator bar will relocate to that selection. You may also select Foreground/Background color and input values between to make the same changes. 4.4 Blink attribute There are only two places where blink may be enabled: the cursor, and any field where the blink attribute is set. Blink support in Host On-Demand has been implemented to be consistent with Personal Communications Manager. In Personal Communications Manager the blink user interface is bundled with 56 IBM WebSphere Host On-Demand: Version 5 Enhancements

73 the color remap user interface; however, in Host On-Demand Version 5 the blink user interface is separate from color remap user interface. The blink remap facilities are located by selecting File -> Preferences -> Display (see Figure 12). Figure 12. Accessing the display blink panel The resulting panel, shown in Figure 13, will allow modifications to specific blink color attribute functions. Chapter 4. Client changes 57

74 Figure 13. Blink attribute panel description If you select Host Color (default) the original host color will be used and the the blink attribute will be ignored. If Blinking Text is selected, all text with the blinking attribute enabled will be displayed blinking on this session screen. The selection of Mapped color allows the user to substitute a changed background color for the blink attribute, thus allowing attention to be drawn to the displayed data field without having the text blinking (see Figure 14 on page 59). 58 IBM WebSphere Host On-Demand: Version 5 Enhancements

75 Figure 14. Remapped host colors By checking the box Allow blinking cursor shown in Figure 13, you can set the cursor to blink for this session only. Since each of these sessions maintains its unique preferences, it will be necessary to modify each individually. The exception is if the original session icon is modified prior to new sessions icons being created, then the changes will follow. The alternate cursor block is controlled at the client session level from the keyboard layout menu under Key Assignments. A key must be assigned to this host function prior to the modification of the cursor style from underscore to block. This allows the user to toggle between cursor block or underscore. An alternative way to modify the cursor is to invoke session properties on the session icon HTMLpage. Select the Screen tab and use the Cursor Style radio button to select the appropriate style. This does not require a key to be Chapter 4. Client changes 59

76 remapped and the client will not have the ability to toggle between cursor styles. By utilizing the Deployment Wizard the administrator has the ability to invoke these features prior to deployment as well. please refer to Chapter 6, Deployment Wizard on page 105 for details on using the Deployment Wizard. 4.5 Keyboard remapping The keyboard remapping function in Version 5 has been enhanced from Version 4. It now provides the ability to display keyboard assignments on a per key basis Assigning key functions There are two routes to invoke the keyboard remapper from a client session. You can click the Remap button if the toolbar is displayed, or use the menu selection and choose Edit -> Preferences -> Keyboard. A keyboard remap menu will appear with two tabs, Key Assignment and Key Repetition. The Category selection box contains three options: Menu Commands, Host Functions and Characters. Refer to Figure 15. Figure 15. Keyboard display panels 60 IBM WebSphere Host On-Demand: Version 5 Enhancements

77 To make a key assignment, simply highlight the menu command, host function or character you wish to modify or assign. Then click the Assign a Key tab and then select the key you wish to remap. If a key currently has a function mapped to it, a warning prompt will be displayed asking if you want to reassign the key. You can also assign key combinations such as Ctrl, Alt and Shift keys to a function. For example, Ctrl+Alt+1 or Shift+P. After you have made your changes, click the Apply button and then click OK and the menu will close. Your key function will be immediately available for you. If the administrator has not allowed the user to save preferences, these changes will be lost when the session window is closed. The keyboard remap function acts independently for each session that is configured. It is recommended that the keyboard remap function be applied to the original session icon, since this allows all client sessions to have the same keyboard map applied to them Key repetition This allows the user to modify selected keys to be non-repeatable if they are held down continuously. The actual keystroke is entered into the data field after the keystroke is released for a non repeat character. To activate this function using the keyboard remapper, select the Key Repetition tab. Then select the keystroke you wish to make non-repeating. All key s except for the Shift, Alt and Ctrl key sequences are available to assign as non-repeatable Macro key assignment When defining assigning a key sequence to invoke a macro, the macro must be created and saved prior to assigning it to a key sequence. After the initial macro has been created, an additional macro field will appear in the Category menu. Select Macro, and a new window will appear as shown in Figure 16. Highlight the specific macro to assign to a keystroke sequence, then select the keystroke or combination of keys you wish to have it mapped to. Select Apply and then OK and the operation is complete. Use the utility to remove macros from assigned keystrokes or delete the macro and the key will be re-assigned to its default. Chapter 4. Client changes 61

78 Figure 16. Assign a macro to a key Searching for key assignment To find out what a specific key or key sequence is assigned to, click the Search for Key button. In the message area a message appears asking for a key or key sequence to be pressed. If a function or command is located, the menu command, host function or character will be highlighted in the left column and the key sequence in the right. If nothing is found, a not defined message will appear in the message area Reset keys to default Two reset functions are available in Version 5. One allows a specific key to reset to the default and the other resets all keys back to the default. The Resetting a key works in the same manner as assigning a key. Click the Reset Key tab, then select the key that requires to be reset to the default. Reset all provides a warning prompt asking if you wish to continue and that all mappings will be reset to their original setting. After completion of either reset options click the Apply button followed by OK to conclude the activity. 62 IBM WebSphere Host On-Demand: Version 5 Enhancements

79 Unassigning keys Using the key assignment menu, select the function, command or character you wish to remove. Then click the Unassign Key button and the associated keystrokes will be removed. To complete the process, click Apply, then click OK. 4.6 Copy and Paste function The copy and paste functionality now includes the following features: Field and word wrap Line wrap Replace tab character with spaces Paste data into fields Control cut, copy, and copy append In Figure 17 on page 65, a single line of text was pasted into a 3270 session to illustrate the new features in Host On-Demand Version 5. When no configuration options are selected (default), the line of text when pasted into these data entry fields is treated as if it were one continous line spanning from the cursor position to column 80. Any characters that go beyond column 80 are truncated. Characters that fall in the protected fields between data entry fields are lost as well. When Field Wrap is selected, the text is inserted into the entry fields by the size of each data element being inserted. Notice that This is how the new was inserted into the Name field but features was not inserted in the User ID but the Node field. The User ID field could not satisfy the character requirement(8) to fit features. As a result features was moved to the next available field. Data that exceeds the available field space for that line (End of line, Column 80) is truncated. If Line Wrap and Field Wrap are used in conjunction with each other, the line of text is inserted into the data entry fields. The data is viewed as a character tab delimited field. If it does not fit, it will move to the next available field until one is found that will satisfy its size. It will also be wrapped to additional lines if needed. If Field Wrap is not checked, text that falls in a protected field will be lost. Selecting the Paste Next option allows text that is being inserted into data entry fields to be extended to follow-on screens. For example - text input is Chapter 4. Client changes 63

80 equivalent to 10 lines of character based text. The data input field is limited to seven lines per page. When the data is pasted into the input area, normally three lines would be truncated when the last column was reached. By moving to the second page, Paste Next will allow continuation of the paste function that was initiated on page one without loss of data. Another configuration of Paste Next is if stop proxying when protected field is encountered is checked. The paste function will stop at the protected field and allow a new entry field to be selected. Paste Next will resume until another protected field is encountered or the paste function is complete. The Paste Next function is enabled when the paste function encounters the end of the page or a protected field if specified. You may also select Paste to Marked Area. The text will be pasted into the marked area and not at the cursor position. If Line Wrap is checked, the text will be wrapped to the next line if available in the marked area. The Paste Next option will be enabled when the marked area is not able to fit all the text. Selecting Stop pasting when protected field encountered will cause the pasting of data to stop when a protected field is encountered in the destination area. 64 IBM WebSphere Host On-Demand: Version 5 Enhancements

81 Figure 17. Paste samples 4.7 Error and status information Enhancements for problem determination include hyperlinks to the specific error code that was encountered. To utilize this feature, errors that have been encountered can be seen by using the Status Bar History. The history buffer maintains this Information life of that session. When an error is recorded in the history buffer, the user may highlight the error and double click it or click the? mark in the upper right-hand corner. A browser window will be started with a connection to the associated hyperlink. The error codes may also be viewed by using the on line help and selecting the associated error message. Chapter 4. Client changes 65

82 Figure 18. OIA and status bar If a larger or smaller buffer is required (the default is 100 lines) an entry can be made in the HTML file associated with the server deployment. For example, we created test1.html using the Deployment Wizard. The file created was stored on the server at C:\hostondemand\hod\test1.html. Using a text editor such as Notepad, open test1.html. Add the StatusbarHistorySize parameter with the value required and save the file. It will require a refresh of the HTML file on the clients before it will become active. The extracted sample code below: <!-- HOST ON-DEMAND PARAMS BEGIN --> <PARAM NAME=ParameterFile VALUE=HODData\test1\params.txt> <PARAM NAME=SkipConfigProperties VALUE=true> <PARAM NAME=StatusbarHistorySize VALUE=100> <!-- HOST ON-DEMAND PARAMS END --> 66 IBM WebSphere Host On-Demand: Version 5 Enhancements

83 The OIA is located across the bottom portion of the session screen. It provides current session information such as connection status, keyboard state, session name and several other useful fields. Table 5 provides a list of fields and associated status If the error has occurred in the operator information area (OIA), no OIA hyperlink association will exist. A description of the OIA fields and associated error codes are found in the following tables. The Status Bar History is also active and may provide additional information on the error encountered. Table 5. OIA layout Column Staus Character Description 1 M Indicates a connection has been established to a Telnet server. 2 A The protocol in use is TCP/IP. 3 * or p? - The session has established a LU-LU connection with an application program. - A SSCP-LU connection has been established but the connection has not been established to the application. - The session bind has not been established or is not connected. 4 + When the session data is encrypted, the character a will change to an a+. 7 a-z Indicates what host session you are using X[] X SYSTEM X <-o-> or X-f X COMM or PROG - (3270 session only) System response time. It is made up of network hops and system response time until the keyboard is unlocked for additional input. - Application or transaction is in response mode. Keyboard is locked until process is complete. - Also known as the stickman; indicates that a an attempt was made to insert a character into a protected field. Press reset and move to an edit or update field. - This function is not supported in the current session. - (5250 only) Indicates that an input error has occurred. - Indicates that a communication problem was encountered between Host On-Demand session and the host it was trying to connect to. (Note: IBM 3270 font will display a lightning bolt instead of COMM or PROG) - This indicates that an error in the data stream was encountered. Refer to specific COMM or PROG error for a detailed description xx / xxx Cursor location - Current line / Column number Chapter 4. Client changes 67

84 4.8 Enhanced menu support The enhanced menu support offers new features that aid in usability and problem determination on the client session. Starting in the upper left-hand corner and proceeding in a clockwise rotation, we will provide a brief description of the features being displayed to the user. Figure 19 provides a graphical presentation of each pull down menu and capabilities of the user. Features that are enabled by the administrator on deployment will appear in the menus. The pull-down menus provide the user such capabilities as print screen, and the copy/ paste function. Figure 19. New menu structure The session can be set to display the Toolbar, Toolbar with Text, Macro Manager Toolbar and the Keypad. Each of these menus are controlled through the pull-down menu under View. The menus can be controlled independently per session and toggled on/off by the user. The administration function can go one step further. The administrator can control the use of the function in much the same manner but has the ability to restrict the usage or disable it completely using the Deployment Wizard. See Chapter 6, Deployment Wizard on page 105 for additional information. 68 IBM WebSphere Host On-Demand: Version 5 Enhancements

85 Note By going to the keyboard remap utility, toolbars and keypad can be assigned to a specific hot key or key sequence. The next field is the secure link indicator, which represents session security and indicates if SSL has been enabled and a secure link established. Immediately to the left is the Telnet server address (which can also be a DNS name) to which the session was established. The Link established field represents a session established through a Telnet sever to the destination host. If a solid lightning bolt exists, then the session has been established. If a broken lightening bolt appears, a corresponding message in the Status Bar History will appear indicating the current condition or error that has taken place. The OIA area will also display an associated COMM or PROG error. Status Bar History is a new field that represents the communication history since the session was started. It maintains a log while the session is in an active state or has not exceeded the default setting of 100 lines, which it will then wrap. The display maintains a running history from the time the session is initiated until the session is terminated. It also provides a link into the help files for the errors that may be experienced. To invoke this feature, simply highlight the specific item of interest. If there is an associated entry in the help section for that item, a hot link can be invoked either by double-clicking the entry or clicking the? in the upper right hand corner. A separate HTML page will be launched with the associated description of the error incurred. Fly over information is displayed for all toolbar and macro manager functions when these functions are active. Information about the icon selection is then displayed in the lower left portion of the session below the OIA (or keypad if active) in an area known as the Status History window. If the mouse cursor hovers over the toolbar s menu or one of the icons, information will be dynamically updated in the display area. When the mouse pointer is not hovering over a area of the screen associated with the toolbar or macro manager, information either about the Telnet server and port address, or the last entry in the Status History buffer is displayed. See Figure 18 on page 66. Located on the last line of the session display is the operator information area. The OIA provides critical session information such as program or communication errors experienced during an established session. There is additional information provided for many of these messages. To display extended information, highlight the desired message and select the question Chapter 4. Client changes 69

86 mark (?) if active. A detailed help panel will be displayed explaining in detail the highlighted message. 4.9 Improved default GUI A common look and feel for flyover help, menu items, and keyboard remap has been added between the Host On-Demand standard interface, the default GUI and IBM Screen Customizer. For details on the common menu support and fly over help enhancements refer to 4.8, Enhanced menu support on page 68, For details on the operation of keyboard remapping refer to Keyboard remapping on page 60. A major enhancement is the preservation of the keyboard remappings across these clients. Prior to Host On-Demand Version 5, if a key were remapped in the default emulator mode and the user switches to either the default GUI or the full IBM Screen Customizer interface, those mappings were lost. With Host On-Demand Version 5, all keyboard mappings will be preserved as the user switches screen modes. In addition IBM Screen Customizer still support its original key remap function in the Studio. 70 IBM WebSphere Host On-Demand: Version 5 Enhancements

87 Chapter 5. Administration Host On-Demand Version 5 has added many new functions. Adding these functions would not be complete without an overhaul of the administrative interface used to control them. This chapter is an overview of many of the new functions and how they are used with the new look and feel of the administrative windows. 5.1 New Administration Notebook After a Host On-Demand administrator logs in, a newly designed administrative window is presented. Figure 20. The Host On-Demand Version 5 administrative window As you can see in Figure 20, the new administrative windows for Host On-Demand Version 5 has changed quite a bit. The Host On-Demand Administrator will see three general areas of the window: 1. A message area at the top that includes information about the current task. The? icon is used to access a complete set of online help, including Copyright IBM Corp

88 both a guide to common tasks as well as an indexed version of Host On-Demand terminology and tasks. 2. The left-hand side of the window is the navigation area. This is where the administrator selects which task (for example, managing Host On-Demand users or groups) they wish to perform. 3. The right-hand pane is the work area. It is where the actual work is being done. This is the only pane that has context menus, also known as pop-up menus, that are used to get information or perform administrative tasks on Host On-Demand objects like users or groups. Throughout this chapter, there will be many examples of how this administrative interface is used. The interface should be easy enough to use without an extensive tutorial. With that in mind, in the remainder of this chapter we concentrate on the administrative improvements in Host On-Demand, and provide some guidance on how to navigate the new interface to aid in understanding the finer points of its use. 5.2 Configuring groups and users Creating groups and users should be familiar territory for users of Host On-Demand Version 4. After logging on to Host On-Demand s administrative interface, selecting Users/Groups from the navigation window will start the user and group administration applet. 72 IBM WebSphere Host On-Demand: Version 5 Enhancements

89 Figure 21. Users/Groups panel Across the top are three buttons: New User, New Group, and Refresh. The Refresh button is used to repaint the existing view of a list after making a change Creating a group Creating a new Host On-Demand group is less complicated than in Version 4, since Version 5 does not allow you to assign users to the group when you define it. You must first create the group, then add the users to the group as a second and separate step. Chapter 5. Administration 73

90 Figure 22. Creating a Host On-Demand group -- Version 4 vs. Version Creating a new Host On-Demand user Host On-Demand Version 5 has added some slight changes to the interface used to create a new user. How much you will have to add depends on whether you are using such advanced features as native authentication or LDAP support. 74 IBM WebSphere Host On-Demand: Version 5 Enhancements

91 Figure 23. Creating a new user -- Version 4 vs. Version 5 As you can see in Figure 23, creating a basic user in Host On-Demand Version 5 follows almost exactly the same steps and rules as in Version 4. You ll need to fill in the user ID, a description (optional), and a password (optional). The user must belong to at least one group. We recommend using a default group of some kind; the Host On-Demand group will be sufficient unless a high degree of compartmentalization between user groups is desired Using native authentication Figure 24 on page 76 shows the window used to enable native authentication. If you have not enabled the LDAP directory data store, then the Use Native Authentication check box will not be enabled. Chapter 5. Administration 75

92 Figure 24. Creating a Host On-Demand user with native authentication Table 6 explains the fields and how they are used when native authentication is enabled. Table 6. Native authentication fields Field User ID Description New Password Confirm Password Member of Description The Host On-Demand user ID being created. (optional) A brief description of the user ID being created. Suggested contents: the full name of the user or a description of a group for a shared user ID. Not available when native authentication is selected. Not available when native authentication is selected. It is required that a natively authenticated user (such as an LDAP user) must be a member of one group. Unlike default Host On-Demand users, they cannot belong to multiple groups. 76 IBM WebSphere Host On-Demand: Version 5 Enhancements

93 Field Do not save preferences User cannot change password Use native authentication Native User ID Description This is exactly the same as Version 4 regardless of user type. If it selected, the user may be able to change items, such as emulator colors, but the changes will not be saved. Users can be denied access to making preference changes at all. See 5.3.3, Disabling emulator functions on page 84. This will be selected automatically. Check this box to use the native authentication feature. This is the user ID that will be passed to the native operating system. This can be different from the Host On-Demand user ID; see Figure 24. If you are running on an AIX or UNIX operating system ensure that this ID is set to the proper case, because IDs are case sensitive in these environments. A bit more explanation is in order on the relationship between the Host On-Demand user ID/password and the native user ID/password. The rules are pretty simple in this relationship: The Host On-Demand user ID is a Host On-Demand administrative convenience. It can be whatever you want it to be (within the Host On-Demand naming rules). If a password was previously specified it will be ignored when you enable native authentication. It will remain in the database and if you ever disable native authentication for the user it will be reactivated. All password handling must be done by the native operating system; therefore, the User cannot change password check box is disabled. If the native password expires and the user attempts to logon to Host On-Demand with it, the Host On-Demand log on will fail. The user must use an operating system interface to change the password before logging on to Host On-Demand. You must be careful with the native user ID if the Host On-Demand server is running on an AIX or UNIX system. The user ID in Host On-Demand is always in lower case, but on AIX and UNIX systems the native user ID is case sensitive. Therefore, make sure the native user ID is specified with the proper case. There is no translation of this field by Host On-Demand and case sensitivity is maintained. Chapter 5. Administration 77

94 By default, Host On-Demand will translate all passwords entered into lower case before validating them, or forwarding them to the native system for authentication. Windows, AIX and UNIX servers all respect case sensitivity when dealing with passwords. Therefore, if your Host On-Demand is running on Windows NT, AIX or any UNIX server, you should insert the following parameter into the NSMProp file (found in the \hostondemand\lib subdirectory) to ensure proper processing of passwords. LowerCasePasswords = false Once you set this parameter, all passwords will be case sensitive, even for those users not using native authentication. 5.3 Administering groups, sessions and users The user and group view used by a Host On-Demand Version 5 administrator is quite different from Version 4. As mentioned earlier in this chapter, the administrative interface received an overhaul and can do significantly more function on the same screen than Host On-Demand Version 4 can. The improvement in the administrative interface is most apparent when managing Host On-Demand users and groups. There is much that can be done by using standard GUI manipulation of the objects presented on the window. Here is a short list: All operations on Host On-Demand groups are performed by using the context (pop-up) menus. All operations on Host On-Demand users are performed by using the context (pop-up) menus. Operations using the context menus can only be performed on one group at a time. But more than one user can be selected for a given operation using the mouse or the arrow key on the keyboard. Specifically: - Clicking the user (or using the spacebar) with the mouse selects that user and deselects any other user(s). - Clicking the user (or using the spacebar) while pressing the Ctrl key selects additional users. - Clicking the user (or using the spacebar) while pressing the Shift key will select all users between one that is already selected up to and including the current user. All of this should be very familiar to Windows users. 78 IBM WebSphere Host On-Demand: Version 5 Enhancements

95 In Figure 25 we see an example of a Host On-Demand administrator who has selected three users and invoked the context menu for just those users. Figure 25. The context menu for multiple users Note that the context menu in this situation will allow only those functions that are allowed in that context. For example, defining the host sessions available to a user can be done only at the individual user or at a single group level Filtering One of the new features of the Host On-Demand Version 5 administrative interface is the ability to limit which users are shown. This option was added to help administrators manage large numbers of users. Filters are used to view the users within a group or the users in the All Users folder. There are two ways a filter can be used: 1. By using the filter option of the context menu for a group. This is a one shot use of filtering that allows the administrator to view a subset of a group. If another group is selected, the administrator will be shown an Chapter 5. Administration 79

96 unfiltered view of that group, unless the filter context menu is used for that group also. 2. Globally enabling the filter option. This is set by enabling the Disable User Filter check box in the lower left-hand corner of the User/Groups administrative window. When this is done, every time the administrator views a different group, he will be asked for a new filter to use. Notes on using filters - Host On-Demand stores all user IDs in lower case and the filters engine is case sensitive. Therefore, you should not use upper case letters in the filter. For example, a filter on G* will not return the same list as g*. - Using the Filter context menu will not work with the All Users group. - When a filter is set globally and used to view a particular group, Host On-Demand will ask for a new filter when the user selects a new group to view. If you are using the same filter to view all groups, it is advisable to copy the filter into the system clipboard and paste it into the filter dialog box. - When filters are set globally, the option can be disabled by using the check box provided in the administrative window or on the filter dialog box Configuring sessions Configuring sessions should be a familiar task to users of previous versions of Host On-Demand. There have been several changes such as the addition of a multiple session icon, enhanced print configuration, VT print capabilities, and the ability to disable functions and 5250 sessions Basic configuration of a 3270 or 5250 session in Host On-Demand Version 5 should be a familiar task to users of previous versions of the product. An improvement in setting up printers was introduced. Chapter 11, Print enhancements on page 189 provides details on that function VT terminals Host On-Demand Version 5 has significantly improved support for VT terminals. The improvements bring the Host On-Demand VT support into full compliance with accepted standards and also to add features unique to the product. 80 IBM WebSphere Host On-Demand: Version 5 Enhancements

97 First, in order to bring Host On-Demand s VT support completely up to standards, the following functions were added: Inquiry message support Bell command (the terminal will now beep when told) Resolution of problems with horizontal tabs in Host On-Demand Version 4 The addition of reverse-screen mode Double-height/double-width characters Host-defined key sequence. Some applications will program the terminal by sending down commands that reprogram the function keys. Host On-Demand Version 5 has added support for these types of applications. The additional functions that have been added are configurable when you define a VT session. VT screen sizes Host On-Demand Version 5 supports a much wider range of screen sizes for VT sessions. Host On-Demand Version 4 VT support was limited to 24 lines and either 80 or 132 column widths. On the Connection tab of a Version 5 VT session s configuration, you ll see six additional choices, as in those shown in Figure 26 below. Figure 26. Configuring the screen size of a VT session VT Print Another significant addition to VT support in Host On-Demand Version 5 is printing support. VT220-level host print services with the following print operations are now supported: Chapter 5. Administration 81

98 Printer controlled mode, pass through printing: all characters and control sequences are sent directly to the printer instead of the display terminal. Auto print mode: a line is printed from the terminal when the cursor is moved off the line with a line feed, form feed or auto wrap. Print screen: all the data on the terminal, optionally between the top and bottom margins, is printed. Data in the terminal s history log is not printed. Print Cursor Line: the data on the line where the cursor is located is sent to the printer. A Printer tab was added to the VT configuration panel as shown in Figure 27. Figure 27. Configuring a VT printer Note The Printer Selection dialog box as shown in Figure 27 is available only on Windows platforms and is used to obtain a list of Windows printers to associate with the printer session. This is actually a simplified version of the 3270 and 5250 printing setup. The Print Destination, Printer Name, Select Printer, File Path and Name and Separate Files options all work identically to their 3270 and 5250 counterparts. 82 IBM WebSphere Host On-Demand: Version 5 Enhancements

99 Answer Back Message The Answer Back Message is used to return a message to the host when the host inquiry command is sent to the terminal. Enter into this field anything that you wish returned in response to a query command. History log Another new function of the Host On-Demand Version 5 VT emulator is the history log. This is a common feature in VT emulators. Figure 28. Configuring the VT session The Host On-Demand history log support is enabled on the VT Display tab of the session notebook, shown in Figure 28. It can be turned on or off via the History Log radio button and its size is controlled by a drop down-control. The administrator can set the log size at increments between 16 KB and 512 KB. Once a VT session is configured to use the history log feature, the user will have access to the history log, which is highlighted in reverse video. An example is shown in Figure 29 below. The keypad has two options. The default is Normal. 1. Select Normal to use the VT auxiliary keypad for typing numbers. 2. Select Application to use the VT keypad buttons to send control-code sequences that can be read by host applications. To determine whether the Application option is required, refer to the application's documentation. Chapter 5. Administration 83

100 Figure 29. A Host On-Demand VT history log Note You cannot use Host On-Demand s Copy function to get more than one screen s worth of data to the clipboard. However, by scrolling back and using the Copy Append function, it is possible to get as much of the log as desired onto the clipboard before pasting it into another application Disabling emulator functions Host On-Demand Version 5 has added an administrative function for disabling the functionality of the emulator. The ability to disable some functions was available in Version 4 via HTML, for example disabling file transfer, but it was done on a global basis and affected all users who started emulator sessions via a specific Web page. In Host On-Demand Version 5 it is possible to disable GUI-based emulator functions for registered (named) users that are: Available on the context menu of the session icons in the Host On-Demand Session Manager, for example Delete or Set up BookMark IBM WebSphere Host On-Demand: Version 5 Enhancements

101 Accessible via buttons on the Host On-Demand Session Manager (for example Add Sessions ) Accessible via the On the Host On-Demand emulator toolbar (for example the Light Pen Mode icon) Accessible via the Host On-Demand emulator pull-down menus (for example file transfer functions) Note: If a function that is disabled is represented by a pull-down menu and an icon on the toolbar, both are hidden from the user. Additionally, the disabling of these functions can be controlled by a policy which can be: Set at the group level Set at the individual level Set at the individual level to override a group-level policy The result of a user s membership in multiple groups Disabling emulator functions - an example scenario The easiest way to illustrate this new capability is with a simple example. Let s start with two Host On-Demand user groups: Table 7. Sample user groups Group Name Unrestricted Restricted Description Members of this group have access to all the emulator functions of their host session. Members of this group have access to the fewest amount of emulator functions allowed by Host On-Demand policy, except that they are allowed to log off once they have signed in to Host On-Demand. These groups contain the following members: Table 8. Sample group members User ID Guest1 Guest2 Guest3 Guest4 Guest5 Group Membership(s) Unrestricted Unrestricted Unrestricted, Restricted Restricted Restricted Chapter 5. Administration 85

102 So we have five users; the first two have unrestricted access to all the functions in the emulator, the last two have highly restricted access to those same functions, and the user in the middle has access based on membership in both groups. We learned how to create users and groups in 5.2, Configuring groups and users on page 72, but let s look at how we set access policy for our restricted group. We start by logging on to Host On-Demand as an Administrator and navigating to the Users/Groups panel. Select the Disable Functions item from the context menu on our Restricted group as shown in Figure 30. Figure 30. Disable Functions context menu This brings up a Disable Function notebook with seven tabbed pages as shown in Figure 31 on page 87. The seven tabs are: 1. Desktop 2. Connection 3. Appearance 4. Macro 5. File Transfer 86 IBM WebSphere Host On-Demand: Version 5 Enhancements

103 6. Printer 7. Others Each of the associated windows has a list of line items grouped by function. For example on the Desktop tab, there is a Delete Sessions item that controls the user or group s ability to delete a host session definition from the Host On-Demand session manager desktop. Each line item on a page is controlled by the use of three check boxes: 1. An enabled check box indicates the group or user is able to use that function 2. A disabled check box indicates this function will be disabled and hidden from the group or user 3. An inherited check box indicates this function will be inherited Let s look at the Disable Function notebook for the restricted group in our example. Figure 31. Disabling functions for a user of the restricted group In Figure 31, we see an illustration of how we disable almost all of the functions a normal user would see. This is done by checking off all the functions except Log Off since we want our users to be able to get out of Host Chapter 5. Administration 87

104 On-Demand. If this function were turned off, the Log Off button at the bottom of a normal Host On-Demand Session Manager window would disappear. In this case, the only way to get out of Host On-Demand would be to close the browser. For illustration purposes, let s turn off everything except the log off function for the restricted group and examine the effect. Warning If you turn off the user s ability to start and stop sessions, then you must make sure to auto-start any sessions defined for that user or group. Also, the only way the user will then be able to close the session(s) will be to log off Host On-Demand or to close the browser entirely. Otherwise, your user could end up with a host session icon that cannot be started. Figure 32. A very restricted 3270 session In Figure 32, we see the results of configuring our very restricted client. Note the absence of all the menu and toolbar items except Help. And even that has actually been disabled. In our very restricted client, clicking the Help button on the toolbar or from the menu pull-down simply brings up the About Host On-Demand window and not the actual Host On-Demand help. 88 IBM WebSphere Host On-Demand: Version 5 Enhancements

105 This very restricted client disables the context menu support from the Session Manager and no buttons on the Session Manager window except for Log Off. Even this button can be disabled if so desired Configuring multiple sessions One item that will be very new to the Host On-Demand administrator is the multiple session object. In practice, it s a rather simple concept. A multiple session object is one that represents multiple Host On-Demand host sessions. When the user opens one of these objects, all of the sessions it represents are started. See Figure 35 on page 91 for a complete set of rules for the behavior the multiple session object Creating a multiple session object Creating a new multiple sessions object is done in the same way the administrator creates a session object for any user or group. By using the Sessions selection from a user or group context menu, the Configured Sessions dialog box is presented as shown in Figure 33. Figure 33. Creating a multiple session object - step 1 Clicking the Multiple Session button in the Configure Sessions dialog box will display a dialog box that allows the administrator to name the new object and add sessions to it. The dialog box used to create (or change) a multiple sessions object is fairly simple as is shown in Figure 34. On the right-hand side, the administrator will be presented with a list of available host sessions to add to the object. On the left-hand side is a list of host sessions within the Chapter 5. Administration 89

106 object. To add a host session, just highlight it in the right-hand list and click the Add button. Figure 34. Adding sessions to a multiple sessions object Notes When creating or modifying a multiple sessions object, keep in mind: To add more than one host session at a time, simply select additional sessions by using the Shift or Ctrl keys on the keyboard when selecting a host session. Then, when the desired sessions are selected, click the Add button. You can add the same session multiple times. When the object is opened, each of the sessions will open. So if you add the same host session twice, two emulator sessions to that host will open when the user opens that multiple session object. When a multiple sessions object is added to a user or group s sessions, a new icon is displayed as shown in Figure 35. The icon will look the same in a user s session manager window. 90 IBM WebSphere Host On-Demand: Version 5 Enhancements

107 Figure 35. A multiple session object icon Multiple sessions object behavior This section is j a review of what to expect when using the multiple sessions object in Host On-Demand Version 5. It is a condensed guide to the behavior of these objects. A multiple session object can contain any Host On-Demand session object except another multiple session object. To add a Host On-Demand session to a multiple session object, it must exist within the same context as the user or group. It cannot be imported or created after the fact. A multiple session object will open all the host emulator sessions it contains when the user opens it. If a multiple session object is deleted, it does not delete the host session objects it contains. If an administrator deletes a host session object that is contained within a multiple session object, a warning is displayed but the pointer to the object is not removed. The administrator must delete it separately. Multiple session objects can be exported and imported. However, when such an object is exported, it does not export the host session objects that are contained within. Those must be exported and imported separately. Chapter 5. Administration 91

108 5.3.5 Administering the Redirector There is only a minor change to the Redirector configuration. As shown in Figure 36, Pass-through has replaced None. All of the other options are the same. Figure 36. Redirector security options LDAP updates When configuring a Host On-Demand Version 5 server for use with an LDAP directory server, select the Directory Service from the navigation area and you are presented with the panel shown in Figure 37. The only change to this panel from Version 4 is the addition of the Advanced section. Under normal circumstances it is recommended that you do not change anything in the Advanced section of this panel. The only time you should consider enabling and modifying the Advanced section is if you were connecting to an LDAP directory server and trying to use previously installed directory entries that used the IBM eperson schema. This would include a directory server used by the On-Demand Server. 92 IBM WebSphere Host On-Demand: Version 5 Enhancements

109 Figure 37. LDAP directory administration 5.4 OS/400 Proxy Server The Services panel (see Figure 38) may be used to start and stop the OS/400 Proxy service. Select the service and click the Stop Service button. When the service is stopped the label of the button will change to Start Service. Chapter 5. Administration 93

110 Figure 38. Start/Stop Services To use enable and configure the OS/400 proxy server you must select OS/400 Proxy Server from the navigation area and select Yes on the Enable Proxy Server Service line. You may also specify the port you wish the proxy to use (default is 3470). The Maximum Connections field allows you to limit the number of connections; however, unless you are experiencing problems we recommend you leave this blank. You must click the Apply button to make these selections active. 94 IBM WebSphere Host On-Demand: Version 5 Enhancements

111 Figure 39. OS/400 proxy configuration 5.5 Native platform authentication Native authentication is often misunderstood. Native authentication offloads password management, not user ID management. The Host On-Demand administrator must still define and manage the user ID. When native authentication is enabled, Host On-Demand will verify the user ID and password combination using the security mechanism of the native operating system, OS/390, Windows NT, or AIX (Windows 2000 is not included at this time). The implementation of native authentication requires that the LDAP data store be used for the storage of all Host On-Demand user IDs and preferences. Refer to Chapter 7, Native authentication on page 139 for details on how native authentication is enabled. In the implementation of native authentication the following closely related enhancements were also included: Chapter 5. Administration 95

112 Relaxing user ID restrictions specifically allowing mixed case and all numeric user IDs. By default Host On-Demand converts all passwords to lower case before working with them. Therefore, if your operating system enables lowercase passwords you will have to insert the LowerCasePassword = false parameter in the NSMProp file. Support for complete configuration of LDAP server parameters. This will allow the administrator to use any LDAP domain created by ODS or other products using non-default values for the user and group locations. Refer to 5.3.6, LDAP updates on page 92 for additional information. Store Redirector configuration information in LDAP. In prior versions only the user IDs, passwords and session configuration information was stored in the directory. Now the Redirector configuration information is stored there as well. 5.6 Creating a cached client preload CD The cached client was originally designed to be installed over an HTTP(S) connection and could not easily be installed from local storage, a network drive or a CD-ROM, without great difficulty. Host On-Demand Version 5 is designed to allow for installation from a CD, local drive or network drive. Combined with the Deployment Wizard, it s relatively easy to create the necessary files. This section is a quick cookbook on how to create a CD for installing the Host On-Demand Version 5 cached client. It is focused on creating a CD although the same steps can be used to create the files necessary to install from a local or network drive. Unless you wish to restrict the installed functions that are loaded on the user s PC, it is best to create a general-purpose CD that installs most or all of the Host On-Demand functions. Doing so will prevent the user s Host On-Demand client from automatically downloading missing functions. This could be a usability concern or (for a dial-up user) an unwanted use of bandwidth. Pre-loading all Host On-Demand functions does not take up much disk space. A complete installation of all files for Version 5 is around 8 MB. Also, just because these features are installed does not mean the user has access to them. The use of these functions are controlled by various means, such as session configuration, the disable functions administrative capability, and the HTML level policy configuration of the Deployment Wizard. 96 IBM WebSphere Host On-Demand: Version 5 Enhancements

113 The creation of a general-purpose Host On-Demand preloaded CD has four steps: 1. Copy the required Host On-Demand files to a folder. 2. Use the Deployment Wizard to create the HTML that will preload the cached client on the user s workstation. 3. Copy the files created in step 2into the folder created in step Create the CD containing all the files Copy required files Copy the following files from the Host On-Demand publish directory of your Host On-Demand sever installation to a network drive or into your CD drive image folder: HODCached.html (customized for the LAN or CD load) hodlogo.gif hodbkgnd.gif Installer.html Cached.js ccversions.properties CachedAppletInstaller.* CachedAppletSupporter.* CachedAppletRemover.* sccbase.* *.jar *.cab scccversions.properties The following files are in subdirectories of the Host On-Demand publish directory of your Host On-Demand server installation. You must keep these files in the appropriate subdirectories when copying them: msgs\cached_*.properties com\ibm\enetwork\msgs\cached_*.class Chapter 5. Administration 97

114 5.6.2 Create the HTML After creating the necessary file structure, the next step is to create the HTML that will drive the installation of the cached client. Using the Deployment Wizard, this is very easy to do. Below is a set of step-by-step instructions of how a general-purpose cached client HTML page is built using the Deployment Wizard: 1. Launch the Deployment Wizard. 2. On the Connections Options panel, when asked if you want to use the configuration server select No. Since you are assuming a stand alone installation, the user may or may not be connected to your Host On-Demand server. 3. When you get to the Addition Options panel you will have the following choices: - Allow users to save session changes? This choice has no effect on the installation and is up to the administrator. - Cache Host On-Demand applet? You must select Yes. It is this option that forces the cached client to be installed on the user s workstation. - Include problem determination components? Normally, this is set to No unless you are directed to do so by IBM service. 4. On the Cached Client installation process window you will have three options: - Debug cached client installation process? This should always be No unless you are directed otherwise by IBM service. - Where will the components be installed from? It is important that you select the CD/Network Drive choice. This sets certain options that make the cached client behave differently from a normal installation you would see over a LAN/WAN from a Web server. - The option to alter the size of the progress indicator frame should be left to its default under normal circumstances. 5. On the Host Sessions window, which will appear if you selected the option not to use the configuration server, you would normally configure the emulator sessions for your Host On-Demand users. However, if you are building a cached client preloaded CD, you do not have to define any host sessions; just click the Next button. Defining host sessions on this panel will have no effect on what is actually loaded on the user s system. 6. The HTML Level Policy Configuration panel is similar to the Host Sessions window. For purposes of creating a cached client preloaded CD, the 98 IBM WebSphere Host On-Demand: Version 5 Enhancements

115 choices made on this panel have no effect on the end result. Just click the Next button and proceed. 7. The display Options panel normally controls how sessions are represented to the user. However, if you choose the option to install the components from a CD/Network Drive, the user will never see this panel. Any selection here will have no effect, so click the Next button to continue. 8. The Preload Configuration panel is used to determine which components of the Host On-Demand cached client are installed. By default, all components are selected. In this example we are creating a general-purpose cached client installation, so it is best to leave this panel set to its default and click Next to continue. If you disable any function it will not be included in the installation and if later required will be downloaded from the server. 9. When you reach the Page Title and Summary window, you are almost finished. You must give the page a title to proceed. Click Next to continue. 10.The Create HTML panel allows you to save your newly-created work to a file. This can be any standard file name that will work with Host On-Demand; spaces are now allowed. Under the covers, this will create an HTML file with this name, plus an additional HTML file with Auto prefixed to the original. For example, if you specify CDPreload on this panel, the Deployment Wizard will actually create two files: CDPreleoad.html and AutoCDPreload.html. After entering the name click Create HTML. Be aware If you meet both of the following two conditions, you must stop the Web server before saving the file. You are working on the Host On-Demand server itself, a Windows NT or Windows 2000 server, and You are editing a file that has been previously created Copy the files 11.Exit the Deployment Wizard. The final step before actually creating the CD is to copy all of the files created by the Deployment Wizard into the preload folder that contains the files necessary to install the cached client. Chapter 5. Administration 99

116 To illustrate which files need to be copied, let s assume that we used the Deployment Wizard to create a file named CDPreload.html. Now the following files and folders will need to be copied to the preload folder: The CDPreload.html file itself. The AutoCDPreload.html file. The contents of the \hostondemand\hoddata\cdpreload folder. The default installation directory for Host On-Demand is \hostondemand, although it can be installed elsewhere. Under that directory will be a subdirectory named \HODData. Then for each page created with the Deployment Wizard there will be a subfolder with the same name as the page, CDPreload. Once these files are copied into the cached client directory, you may now create the CD Install from the CD To install the cached client from the CD you will need to launch the following URL in your browser: file:///d:\cdpreload.html. The cached client will be installed. After that you may point your browser to a cached client on your Host On-Demand server and begin operations. When contacting the server you may be required to download some additional files, such as DBCS, BIDI or Thai support, which may not be included in your customized preload image. 5.7 Changing the Service Manager s port You can change the configuration port used by the Host On-Demand Service Manager and the clients. The default port of 8999 can be mapped to any available port number. If you are using Host On-Demand through a firewall, the port you set to be the configuration port must be opened on the firewall. To change the configuration port, for example to 12345, you need to make changes to the Service Manager, the clients and the configuration servlet (if you are using it) Server modifications There are several methods you can use to set ConfigServerPort for the Service Manager. Choose the easiest or most convenient method. Because there are several ways to specify a different configuration port for the Service 100 IBM WebSphere Host On-Demand: Version 5 Enhancements

117 Manager, there is a precedence that takes place based on where the parameter is set: 1. First is a command line parameter, such as /ConfigServerPort= Second is the ConfigServerPort entry in the NSMprop file. 3. Third is the setting of the second parameter of CONFIGSERVER_PARMS in the NSMprop file. The above configuration only affects the operation of the Service Manager. You must also make the appropriate modification to the config.properties file as described in 5.7.2, Notifying the Host On-Demand client on page Modify command line Add /ConfigServerPort=12345 to the end of the command you use to start the Service Manager, or edit the script that is used to start the Service Manager so that the ConfigServerPort parameter is passed to it. The Service Manager runs as a service on Windows servers, so you need to add the ConfigServerPort parameter to the registry entry for the Service Manager. Below is the registry entry that you must update: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IBMServiceManager\Par ameters\appparameters On the AS/400, use CFGHODSM to add the ConfigServerPort parameter ConfigServerPort in NSMProp file Following these steps to modify the NSMProp file to change the Service manager s port: 1. Stop the Service Manager. 2. Go to the lib directory of the Host On-Demand server, for example, D:\hostondemand\lib 3. Edit the NSMprop file and add the following to the bottom of the file: ConfigServerPort= Restart the Service Manager CONFIGSERVER_PARM in NSMProp file Edit the NSMprop file to make the second parameter of CONFIGSERVER_PARMS instead of This method provides compatibility with previous versions of Host On-Demand. Chapter 5. Administration 101

118 5.7.2 Notifying the Host On-Demand client The clients must also be notified of the port change. Because there are several ways to specify a different configuration port for the clients, there is a precedence that takes place based on where the parameter is set: 1. ConfigServerPort parameter set in the client HTML. 2. ConfigServerPort set in the config.properties file Change the config.properties file Go to the publish directory of the Host On-Demand server (for example, d:\hostondemand\hod). Edit config.properties to add ConfigServerPort=12345 to the file. If a config.properties file does not exist create it and add the parameter. Force any active Host On-Demand clients to re-read the config.properties file by clearing your browser's cache and reloading the Host On-Demand applet. If you need to edit config.properties for an OS/390 server, first transfer the file in binary to an ASCII based system such as Windows or UNIX. Edit the file and then transfer it back to the OS/390 system in binary. If you need to create a config.properties file, do so on an ASCII system and then transfer the file to the OS/390 server in binary. The reason for this is that the client applets expect ASCII text in config.properties, but files created or edited on OS/390 are stored in EBCDIC Change the HTML file When any parameter is set in a config.properties file, all clients will use that parameter. However, each client can be configured individually by adding parameters to the client HTML. You can use the Deployment Wizard to build customized HTML client pages. The Deployment Wizard sets applet parameters in the HTML it creates based on your input, so you don't have to learn the syntax and valid parameter values. It is recommended that you use the Deployment Wizard to build client pages. The wizard can't be used to edit HTML pages you create manually. It also can't be used to edit HTML pages that are created with the wizard, but are later edited manually. If you find you need to manually modify the HTML, use the param tag inside the applet tag to set the ConfigServerPort. For example, you can add <PARAM_NAME=ConfigServerPort VALUE=12345>. to the applet tag in HTML file. 102 IBM WebSphere Host On-Demand: Version 5 Enhancements

119 If you are using the configuration servlet and you change the Service Manager port, you will need to set the ConfigServerPort parameter for the configuration servlet. For example, if you change the Service Manager port to you need to pass the ConfigServerPort=12345 parameter to the configuration servlet so it can communicate with the Service Manager. Refer to 8.1, Configuring WebSphere Application Server on page 149 for an example of specifying the ConfigServerPort with WebSphere Application Server, or check your Web server or servlet engine documentation for information about how to pass parameters to servlets. Chapter 5. Administration 103

120 104 IBM WebSphere Host On-Demand: Version 5 Enhancements

121 Chapter 6. Deployment Wizard The Deployment Wizard is a Windows application and cannot be used on other system platforms. It is automatically installed when you install the Host On-Demand server on a windows system. It helps in creating customized HTML pages that allow a user, for example, to start a session without having to identify himself through a user ID and password, or to automatically launch multiple sessions in parallel from a single URL reference. These functions have been available in previous releases of Host On-Demand, but it was a sometimes cumbersome process specifying all session parameters when customizing an HTML page according to the session1.html and session2.html samples. The Deployment Wizard guides you step by step through the configuration options available to define the session type you selected. This process then eliminates the need to remember the names and meaning of the many parameters you had to code on a session2-type HTML page. Also, there are more options available. The Deployment Wizard offers a number of configuration options that are not available through the normal administration interface: You decide from which source the client gets its configuration information: from the Host On-Demand configuration server or from the HTML file. You choose if the client code will be cached locally, and which options the user has for downloading. To eliminate the user from having to log on, you may add a user ID and password (optional). You decide which functions are downloaded to the client. You may configure a session and define which emulator functions you want to make available and which should be disabled and hidden from the user. 6.1 Starting the Deployment Wizard You start the Deployment Wizard from the Start menu by clicking Start --> Programs --> IBM Host On-Demand --> Administration --> Deployment Wizard. It is also possible to start the Deployment Wizard from Host On-Demand s installation CD. Since the Deployment Wizard is a windows application, this will be necessary when the Host On-Demand server is installed on a reliable Copyright IBM Corp

122 system platform such as AIX or OS/390. Of course, you may copy the CD to your workstation s disk. The minimum set of files and directories necessary to start the Deployment Wizard from disk is shown in Figure 40. You start the Deployment Wizard by executing setupwin.exe, which will bring up the normal installation welcome window, where you then click Deployment Wizard. Figure 40. Files needed for start to Deployment Wizard When starting from CD (or a copy on your local disk), the Deployment Wizard will support all functions, but the files created will have to be transferred to the system on which the Host On-Demand server is installed. For tips on this process see 6.6, Distributing custom HTML pages on page 137. If the Host On-Demand server is installed on a Windows system it is advisable to directly start the Deployment Wizard from the Start menu (that is, not from CD). The created files will then be directly installed into the correct libraries. 6.2 Customizing HTML pages Before you start customizing individual HTML pages for different user groups or even individual users, you must decide the following: Which type of client will the user load (see 2.6, Types of clients on page 20)? Will every user have an individual user ID assigned, use a group user ID, or no user ID at all? Which functions should be made available to these users, or which functions should be hidden from the users? For example, if users are allowed to record macros, there will be many who will record a logon macro in order to directly get into their host application to the point where they can start working. Not every user will let the macro prompt for the application s password, but instead will record the password with the macro. This means that somebody else might access an unattended workstation and read the user s password because it is recorded as plain 106 IBM WebSphere Host On-Demand: Version 5 Enhancements

123 text within the macro. It is therefore policy in many companies not to allow the recording of macros but to only allow playing of prerecorded macros. Welcome Page E dit existing H TM L File? no yes Edit Existing HTML File Connection Options Use Configuration Server? yes no Logon Options Additional Options Cache HOD Applet? no yes yes no Cache Client O ptions Cache Client Upgrade Options Host Sessions HTML Level Policy Configuration Display O ptions Preload Configuration Page Title and Summary Create HTML Figure 41. Deployment wizard flows Figure 41 gives an overview of the sequence of option windows when using the Deployment Wizard. When configuring your clients, there are two major decisions you have to make that influence the path through the Deployment Wizard: 1. Will the user be defined with user ID and password at the Host On-Demand server, that is, will the client use the configuration server when initializing its emulation applet window? 2. Will the user download the code every time he starts the emulator or will he use a cached client that downloads the code once and then uses the locally installed code to start the emulator applet? Chapter 6. Deployment Wizard 107

124 As a combination of the two choices, there are then four different paths through the Deployment Wizard for the four basic types of clients. The welcome window that shows up first when you have started the Deployment Wizard prompts the user to create a new HTML page or to update an existing one. If you are updating an HTML page, you have to provide the name of the HTML page by directly typing the name of the page, or by selecting the page from the list of HTML pages previously created with the Deployment Wizard, and only wizard pages are shown by default. Watch your updates When navigating through the option windows of the Deployment Wizard be careful to always go forward by clicking the Next button when you have made any changes on a window. Clicking the Back button will cause all changes and entries on a window to be set back to their defaults. Changes are saved only when you leave the window in the forward direction Download client using the configuration server In our first scenario we will define a customized HTML page for a client that has a user ID defined and downloads the code every time this HTML page is referenced. Figure 42 shows the sequence of option windows we will follow to enter the configuration parameters. We will not have to answer any questions that relate to a cached client and, because the user and his session have been configured using normal Host On-Demand administration, we do not have to go through the option windows presented to configure the individual sessions Connection options After having chosen to create a new HTML page or having loaded the HTML page to be updated, the next window is Connection Options (see Figure 43 on page 110). It asks the user if configuration information will be read from defined users on Host On-Demand s configuration server and how to reach the configuration server. Configuration server In this scenario, we choose to use the configuration server. Of course, all intended users and their sessions have to be previously defined using Host On-Demand s administration function. 108 IBM WebSphere Host On-Demand: Version 5 Enhancements

125 Welcome Page Edit existing HTM L File? no yes E d it E xisting H TM L File Connection Options Use Configuration Server? yes no Logon Options Additional Options Cache HOD Applet? no yes yes no Cache Client Options Cache Client Upgrade Options Host Sessions HTML Level Policy Configuration Display Options Preload Configuration Page Title and Summary Create HTML Figure 42. Flow for download client using configuration server Configuration servlet The next information needed then is how to reach the configuration server. This can be done trough a direct connection to the configuration server s port (the default is 8999) or through a configuration servlet that has been installed and configured on a Web server that provides servlet services (see Chapter 8, Configuration servlet on page 149 for details). Using the configuration servlet allows you to connect to the configuration server through the normal HTTP(S) ports (defaults 80/443). This is especially useful when the users have to access the Host On-Demand server through a firewall. This will eliminate the need to open an extra port (for example 8999) on the firewall. To reach the configuration servlet that is controlled by a servlet manager, such as WebSphere Application Server, you must specify either a relative or Chapter 6. Deployment Wizard 109

126 absolute URL that points to the desired Configuration Servlet. The example shown in Figure 43 specifies a relative reference. Refer to 8.2, Enabling clients on page 159 for a complete explanation of relative and absolute URLs. Figure 43. Deployment Wizard - Connection Options window If you choose to directly connect to the configuration server you have to specify its port number. The default number 8999 is already filled in and has to be overwritten when your installation uses a different port number (see 5.7, Changing the Service Manager s port on page 100) for details Logon options Clicking Next brings you to the Logon Options window shown in Figure 44 on page 111. Here you can select that users are required to logon every time they load the HTML page created here. This would normally be the case when you decided to define individual user accounts. This could be necessary, for example, when your company s security policy requires that all users (or a special group of users) always get the same LU name assigned 110 IBM WebSphere Host On-Demand: Version 5 Enhancements

127 (and are identified by their LU name). You can enforce this by specifying the individual user s LU name its session definitions. Figure 44. Deployment Wizard - Logon Options window There are two methods of logging into the Host On-Demand server: 1. Prompt the user to enter the user ID and password 2. Provide the user ID and password as part of the custom HTML setup If you are not requiring users to manually log on, you have to provide a user ID and password that are to be used to automatically log on the user when he loads the HTML page being created here. Of course, this user ID, password, and the associated session(s) must have been previously defined using Host On-Demand s administration functions. The user ID specified on such an HTML page will then represent a shared account with identical session definitions for all users loading this page. Together with the possibility to request auto-launch in each session s properties, this then is a function equivalent to the function provided by the session1-type sample well known from previous versions of Host On-Demand. Chapter 6. Deployment Wizard 111

128 Additional options There are three additional options that are required on this window as shown in Figure 45 on page 113. Save session changes The save session changes option allow you to specify whether or not you will allow users to save session changes. In many environments you would elect to not allow the user to save changes. Reasons for this would vary, but could include the following: Provide a consistent interface to all users Reduce errors by having a standardized client, and Allow the sharing of a single user ID across multiple users When using the configuration server (as is done in this scenario) any modification of the session characteristics (for example, keyboard remap, change of colors, size or position of the emulation applet window) will be sent to the server and will replace the stored characteristics. If you use one shared account for multiple users, saving session changes would mean that a newly logged-on user would get his session preferences from the last user that saved them. Deployment Wizard wins What you specify here in the Deployment Wizard will override whatever you chose for the check box Do not save preferences when you created the user account in Host On-Demand s administration. Cache the Host On-Demand applet The second option allows you to request that the Host On-Demand code be cached (locally installed) on the client s workstation. In this scenario we configure an HTML page for a download (non-cached) client. 112 IBM WebSphere Host On-Demand: Version 5 Enhancements

129 Figure 45. Deployment Wizard - Additional Options window Include problem determination components The normal code downloaded to the client does not support certain problem determination functions such as tracing of communication flows or internal API calls. This is done to keep the client as small as possible. Every installation should have HTML pages prepared that download problem determination modules in case there are problems that have to be documented using those facilities Display options On the Display Options window (see Figure 46) you decide what the browser window looks like when the user calls the HTML page being created by the Deployment Wizard. Chapter 6. Deployment Wizard 113

130 Figure 46. Deployment Wizard - Display Options window How to display sessions You can specify if the browser window will display the standard Host On-Demand client icons, or a grid of buttons, one for each session defined for the user. When selecting to display buttons you must specify into how many rows and columns the buttons will be arranged. The following properties apply to the buttons: The name of the session is displayed. You cannot influence the shape and color of the buttons. You cannot provide your own image for the button. A context menu is not available for a button. This means that the user can not copy the session, set a bookmark, or manipulate the session definitions. The user can only start a session as it was configured by the administrator. Applet window size The second option on the Display Options window allows you to determine for the displayed Host On-Demand page the size of the frame that contains the 114 IBM WebSphere Host On-Demand: Version 5 Enhancements

131 session symbols. If you have only a few sessions configured for the user, set the applet size parameter to small. If you have many sessions, set it to middle or even large to hold all session icons. When you choose to display session buttons, a good choice would be to let their size adapt to the current size of the browser window by setting the applet size parameter to autosize. Maximum concurrent sessions With the last option on this window you can limit the number of emulator sessions that the user can simultaneously have open. If every user started the possible maximum 26 sessions (although only one might be defined for him) you can easily run out of resources on your TN3270 server. To avoid that simply restrict the user to the number of sessions you want to allow and for which you have calculated the number of LUs in your TN3270 pool Preload Configuration The Preload Configuration window as shown in Figure 47 contains a number of tabs on which you can select which components shall be included in the initial download of Host On-Demand s code to the client. It does not make any sense to download, for example, code that supports SSL encryption when your TN3270 server is not configured to support SSL. Just because a function s code was not initially transferred to the client does not mean it is not available to the user. The first time a user attempts to us a new function that was not initially downloaded, the function will be dynamically downloaded from the server. For example, if you omitted the code supporting the macro functions, the required files will be downloaded as soon as the user clicks one of the macro keys in his emulation window s tool bar. If users will seldom use a specific function (like recording or playing macros, or starting a file transfer) it is a good choice to omit the function from the initial download and have it downloaded on demand as the user needs it. Depending on the number of users you might save a large amount of bandwidth in the morning when everybody comes in and starts his emulator session(s). Chapter 6. Deployment Wizard 115

132 Figure 47. Deployment Wizard - Preload Configuration window Figure 47 shows the minimum selection that is necessary to support 3270 terminal sessions. Only the function 3270 Sessions has been selected. All other functions on all folders are deselected (simply by clicking on the Select all check box). This will then result in 1.06 MB transferred with Internet Explorer and 1.23 MB with Netscape. (This is even smaller than the Function On-Demand client you can start from the HODMain.HTML selection page.) Remember, this is for a download client that signs on to the configuration server Page title and summary As shown in Figure 48, the next window that shows up on the path through the Deployment Wizard gives an overview of the functions selected so far (except for the download configuration). You may review what is selected and go back if you find any discrepancies to your planned configuration. 116 IBM WebSphere Host On-Demand: Version 5 Enhancements

133 Figure 48. Deployment Wizard - Page Title and Summary window Type in a title for the page you are creating and proceed to the last window of your path through the Deployment Wizard. The wizard will not let you proceed without a title. This title will be displayed by the browser as the title of the page and will be used as the default text if you bookmark this page. Create HTML On the last window (shown in Figure 49) you specify the name under which the HTML file you just created will be saved. The appropriate extensions will be added for you. Chapter 6. Deployment Wizard 117

134 Figure 49. Deployment Wizard - Create HTML window Cached client using the configuration server In our second scenario we will define a customized HTML page for a client that has a user ID defined (as in the previous scenario) and downloads the code the first time this HTML page is referenced, installs the code on the client, and uses this locally installed code in subsequent references of this HTML page. Figure 50 shows the sequence of option windows you will follow to enter the configuration parameters. The only difference from the previous scenario will be that you will be presented two additional option windows to specify additional parameters for the cached client. As you can see in Figure 50 you will see almost all option windows of the Deployment Wizard. This is the most complex scenario possible. 118 IBM WebSphere Host On-Demand: Version 5 Enhancements

135 Welcome Page Edit existing HTM L File? yes no E d it E xisting H TM L File Connection Options Use Configuration Server? yes no Logon Options Additional Options Cache HOD Applet? no yes yes no Cache Client Options Cache Client Upgrade Options Host Sessions HTML Level Policy Configuration Display Options Preload Configuration Page Title and Summary Create HTML Figure 50. Flow for cached client using configuration server Connection options Refer to , Connection options on page Logon options Refer to , Logon options on page Additional options Refer to , Additional options on page Cache client options Once the cached client option was selected on the Additional Options window (refer to Figure 45 on page 113), then the Cached Client Options panel, as Chapter 6. Deployment Wizard 119

136 shown in Figure 51 will be displayed. This panel is where we indicate if the cached client is to be used and from where it will be loaded. Debug cached client installation process? The first option on this window asks if you want to debug the cached client installation process. You would need this function only if there are problems with the installation process of your cached client. Normally you select No. Where will the components be installed from? The second option allows you to have the code installed either from a local CD or from a (network) drive. It is recommended that you install from the server unless you have a very slow link to the server, such as a 14.4 Kbps dial-up link. Refer to 5.6, Creating a cached client preload CD on page 96, for details on how to configure the installation CD. Figure 51. Deployment Wizard - Cached Client Options window Size of the progress indicator frame The third option allows you to customize the size of the window that pops up at the client when the code is downloaded and installed to indicate the progress of the installation process. The default size is adequate for most users. 120 IBM WebSphere Host On-Demand: Version 5 Enhancements

137 Cache client upgrade options On this window you configure how the update of a cached client is controlled if the client detects that newer code is available on the server. Figure 52. Deployment Wizard - Cache Client Upgrade Options window Handling upgrades You might want to control the update to limit how many users in parallel may update their cached client code once the central administrator has installed a new copy of Host On-Demand on the server. Your options are as follows: Allow all users to upgrade as soon as they connect to the server after the new code has been installed on the server. Not allow any user calling the HTML page being customized here to update his code. Users would have to reference special customized HTML pages allowing the update. This would then be organized and controlled by the central administrator. Control how many users can update their code in a certain time interval by either specifying a percentage of users allowed to update at a time, or refer to a file (per URL) in which the administrator will set the update keyword when users of this HTML page are allowed to update. Chapter 6. Deployment Wizard 121

138 Note The percentage upgrade option is only an approximation. When the upgrade check occurs, the client generates a random number from 1 to 100 and compares it against the value specified here. The cached client will upgrade if the random number is less than or equal to the number specified here. Since the random number changes every time you start the applet, over time this technique would eventually upgrade everyone even if the value specified was 20 and was never changed. Upgrade options You must select one of the following options on how upgrades are handled once they are detected: Upgrade in foreground (cannot user product until upgrade is complete) Upgrade in background (can use old version while upgrade takes place) Prompt user (user decides foreground or background). This is the default option and is recommended Display options This panel is identical to those for the first scenario. The description is found in , Display options on page Preload configuration Special consideration should be given to the selection of functions that will be downloaded and installed in the cached client. Deselect all functions that will never be used by the client, either because the client uses only 3270 sessions (which then downloads the code supporting 5250 sessions) or you, as the administrator, have disabled certain user functions. If the user cannot use the file transfer function, it does not need the supporting code on the workstation. The functions you select for the client to cache are especially important if the client is connected to the Web server over low-speed communications links Page title and summary This panel is identical to those for the first scenario. The description is found in , Page title and summary on page Create HTML This panel is identical to those for the first scenario. The description is found in Create HTML on page IBM WebSphere Host On-Demand: Version 5 Enhancements

139 6.2.3 Cached client not using the configuration server In our third scenario we will define a customized HTML page for a client that has no user ID and no sessions defined at the configuration server. The client will download the code the first time this HTML page is referenced, and use this locally installed code in subsequent references of this HTML page. Figure 53 shows the sequence of option windows we will follow to enter the configuration parameters. Welcome Page E dit existing H TM L File? no yes Edit E xisting H TM L File Connection Options Use Configuration Server? yes no Logon Options Additional Options Cache HOD Applet? no yes yes no Cache Client Options Cache Client Upgrade Options Host Sessions HTM L Level Policy Configuration Display O ptions Preload Configuration Page Title and Summary Create HTML Figure 53. Flow for cached client not using configuration server Connection options On the Connection Options window, Figure 43 on page 110, in this third scenario, we click No to answer the question: Use the configuration server? This means that we will bypass the Logon Options window (there are no options to specify when you do not log on). Chapter 6. Deployment Wizard 123

140 Additional options Next, on the Additional Options window (see Figure 45 on page 113), we click Yes to answer the question: Cache Host On-Demand applet? This presents two additional option panels on which you must define the session(s) you want to make available to users requesting this HTML page, and which policy rules shall apply to them Host sessions After having defined the cache client options the next window presented, Figure 55, is the Host Sessions window. When customizing a new HTML page you will reach this window with, of course, no sessions defined. Selecting the Create New... button results in a small window as shown in Figure 54 to allow you to select which session you want to define. Figure 54. Selecting the type of host session Selecting any of the buttons will present a window that is identical to the one presented when using the Host On-Demand administrator. You define your session parameters the same way you would using the administrator functions. (See 5.3.2, Configuring sessions on page 80 for a detailed description of the options available for the different session types.) The different configurations you create here, to be available through this HTML page, will not be stored under control of Host On-Demand s configuration server; rather they will be saved into separate configuration files, such as cfg0.cf. Refer to 6.5, Files created by the Deployment Wizard on page 131, for a complete description of these files. Figure 55 shows the Host Sessions window with two sessions defined. When no session is selected (all sessions have a white background) only the Create New... button is active; all others are greyed out. To activate the other buttons click the session you want to work with; its background will turn blue, and all buttons will be active. 124 IBM WebSphere Host On-Demand: Version 5 Enhancements

141 Figure 55. Deployment Wizard - Host Sessions window Clicking the Properties button will open the same window used to define a new session configuration. You can then change the configuration parameters of the session selected (blue background) on the Host Sessions window. You can also create a new session by simply copying an existing session. This is done by selecting one of the existing sessions (blue background) and then clicking the Copy button. The newly created session will be given a name that is derived from the name of the session that was copied. Selecting then the new session and clicking the Properties button will let you modify the session just created. Sessions that you do not want to be supported any longer through the HTML being customized can simply be removed by clicking the Delete button. The session is removed from the Host Session window and its associated configuration file is deleted. From the Host Sessions window you can launch a session from the sessions listed by selecting the session and then clicking the Start button. The session Chapter 6. Deployment Wizard 125

142 window will be opened and the session started according to the parameters set in the configuration. All changes you apply to this session window will then be used as the initial default setup for all users calling the HTML page being customized. These changes include, among others: Size and placement of session window Macros Color settings Keyboard remapping You can, for example, record a macro and specify it as being automatically started when the session is initialized, and have the session start automatically when this HTML page is called. This will then have the effect that whenever this HTML page is referenced (either directly or by an URL link) the session window will automatically pop up, the session will be started, and the macro played to navigate the user into his application. Note: do not record a user ID and password; have the user be prompted instead. In addition, if your installation supports express logon (see 1.2.4, Express logon on page 5), you can navigate your users directly into their applications without the need to enter user ID and password HTML level policy configuration Once all sessions are customized, the next window is the HTML Level Policy Configuration window (see Figure 56). It allows you to select the functions that will be enabled or disabled for users calling this HTML page being customized. The format of the window and the content in the different folders is almost identical to the format of the Disable Function window when customizing a user or a group in Host On-Demand administration (see , Disabling emulator functions - an example scenario on page 85 for details). The only difference is that, of course, you cannot select that a group s setting applies to a user. We do not have groups nor users. What you select being enabled or disabled applies to all users referencing the HTML page being customized. 126 IBM WebSphere Host On-Demand: Version 5 Enhancements

143 Figure 56. Deployment Wizard - HTML Level Policy Configuration window Figure 56 shows the Connection tab with a selection of enabled and disabled connection functions. In this example users will not be able to close a session window, not even by clicking on the X in the top right corner. Session windows can only be closed by terminating the browser Display options The details for this panel have already been described in , Display options on page Preload configuration The details for this panel have already been described in , Preload Configuration on page Page title and summary The details for this panel have already been described in , Page title and summary on page 116. Chapter 6. Deployment Wizard 127

144 Create HTML The details for this panel have already been described in Create HTML on page 117. Note When starting emulator sessions using this customized HTML page, Host On-Demand s Service Manager will not be contacted, that is, no connection is established to the server s port All session configuration and user policy parameters are defined using the Deployment Wizard, saved in the various files created by the Deployment Wizard, and afterwards provided by the Web server without contacting the session manager. Unless you disable license use management reporting, the client will attempt to open the configuration port, 8999 by default, to report its activity. If the port is not open or the license use management utility is not listening, the client will time out and no error will be logged Download client not using the configuration server In the fourth and last scenario we will customize a client that has no user ID and session defined by Host On-Demand administration and does not cache the code on the workstation but downloads it every time it references the HTML page. When you compare this scenario s path through the Deployment Wizard as outlined in Figure 57, you will find that the only difference is that you will not be presented with the two windows specific to the cached client. 128 IBM WebSphere Host On-Demand: Version 5 Enhancements

145 Welcome Page E dit existing H T M L F ile? no yes Edit Existing HTML File Connection Options Use Configuration Server? yes no Logon Options Additional Options Cache HOD Applet? no yes yes no Cache Client Options Cache Client Upgrade Options Host Sessions HTML Level Policy Configuration Display Options Preload Configuration Page Title and Summary Create HTML Figure 57. Flow for download client not using configuration server All options windows passed in this scenario have been previously described Connection options Refer to , Connection options on page 108 for details Additional options Refer to , Additional options on page 112 for details Display option Refer to , Display options on page 113 for details Preload configuration Refer to , Preload Configuration on page 115 for details. Chapter 6. Deployment Wizard 129

146 Page title and summary , Page title and summary on page 116 for details Create HTML Refer to Create HTML on page 117 for details. 6.3 Running the Deployment Wizard from the installation CD When starting the Deployment Wizard from the installation CD (or from a copy of the installation CD on your hard disk) as described in 6.1, Starting the Deployment Wizard on page 105, the created files are packed into one zip file that has the name of your HTML page, for example the download_logon.zip as shown in Figure 49 on page 118. The directory into which the Deployment Wizard wants to write the zip file defaults to the directory from which you started the wizard, not a good choice when starting from CD. Therefore, override the default directory on the Create HTML window to a directory of your choice (D:\DWPages, for example). Figure 58 shows the files contained in the zip file and into which subdirectory they will be installed, relative to the publish directory. Refer to6.5, Files created by the Deployment Wizard on page 131 for recommendations on how to distribute the custom HTML pages created with the Deployment Wizard. Figure 58. Files included in the zip file When you create a new configuration with the stand-alone Deployment Wizard, only the zip file is created. The Deployment Wizard cannot directly read and update a zip file that it created; therefore, if you want to update this configuration, you first must unzip the file and then read in the HTML file. Once you update the configuration, a new (updated) zip file is created. 130 IBM WebSphere Host On-Demand: Version 5 Enhancements

147 6.4 Execution from Windows server If you run the installed Deployment Wizard from the Windows server, a zip file will not be created. If you save directly into the server s publish directory (the default) users then can directly use the page you just created. If you need to deploy these files to other servers refer to 6.5, Files created by the Deployment Wizard on page 131 for recommendations on how to transfer and deploy the custom HTML pages. 6.5 Files created by the Deployment Wizard There are several files that may be created by the Deployment Wizard and a subdirectory for each custom HTML file. Refer to Table 9 for a brief description of each file that is created. Not all the files are present in every type of client; however the file structure created is identical for download clients and cached clients. The following sections will describe these files in more detail. Table 9. Files created by Deployment Wizard File Name File type Location Description custom.html text The publish directory \hostondemand\hod The HTML file that the user uses to launch the client. Autocustom.ht ml text The publish directory \hostondemand\hod This name is the same as the previous HTML file with Auto added as a prefix. This HTML file is used when bookmarking. winfo.txt text \hostondemand\hod\h ODData\custom\ params.txt text \hostondemand\hod\h ODData\custom\ policy.obj binary \hostondemand\hod\h ODData\custom\ Contains the responses to each panel in the Deployment Wizard. This file is only used by the Deployment Wizard. Contains some configuration parameters for the setup of the client s session window and is sent to the client. Contains the policies defined by the administrator on the Policies window, see Figure 56 on page 127. Chapter 6. Deployment Wizard 131

148 File Name File type Location Description preloads.obj binary \hostondemand\hod\h ODData\custom\ Contains the objects to preload when the client is initially loaded, see Figure 47 on page 116. Note: custom is the name of custom HTML file assigned when the file was saved, see Figure 49 on page HTML files There are two HTML files that will be created. The first HTML file will have the name that you specified on the Deployment Wizard s last window; refer to Figure 49 on page 118. This also is the HTML file name the user will reference from his browser, either directly or through a URL reference. When loaded onto the serve; this HTML file must be stored directly into Host On-Demand s publish directory (\hostondemand\hod\ by default). Figure 59 shows the download_logon.html file that was created for a download client that uses the configuration server, and automatically logs on the user to obtain preferences. 132 IBM WebSphere Host On-Demand: Version 5 Enhancements

149 Figure 59. HTML file created for download client using configuration server Notice The password used to automatically log on the user is written in plain text as a comment on the HTML page and everybody is able to easily retrieve it when calling this page from his browser (as was the case with a session 2-type customized HTML page in Host On-Demand Version 4). It is, therefore, not worth specifying a password at all for a user account that is used to automatically log on one or multiple users. The second HTML file created is the HTML file that is used when bookmarking this page. The file name will be the same as the previous one, but with Auto prefixed. For example, assuming the HTML file in Figure 59, the second file name will be Autodownload_logon.html. Chapter 6. Deployment Wizard 133

150 HODData subdirectory and files For every HTML file you customize, an associated subdirectory with the name of the HTML file (download_logon in our case) is created in the HODData subdirectory to contain the configuration files for this client. Figure 60 shows the directory structure and the configuration files for our download_logon scenario. Figure 60. Directory hierarchy of configuration files preloads.obj There is a preloads.obj file that is used by the Deployment Wizard to hold your selections of what is to be preloaded. This was specified on the Preload Configuration window (refer to Figure 47 on page 116). It is not an ASCII text file and cannot be edited using a normal text editor. When transferring this file to the designated server, it must be transferred in binary. params.txt The params.txt file contains a few configuration parameters for the setup of the client s session window and is sent to the client. Figure 61 illustrates the params.txt file created for the download_logon HTML file. This is a standard ASCII text file. Figure 61. The params.txt file 134 IBM WebSphere Host On-Demand: Version 5 Enhancements

151 Passwords made public Here you can also read the password in plain text. Don t use this type of session setup if this could be of concern to your company s security policy. winfo.txt The winfo.txt file (see Figure 62) is a standard ASCII file that contains the value of each parameter on each window that you went through when defining the custom file with the Deployment Wizard. If you later rerun the Deployment Wizard on this custom HTML file these parameters will be read and the values for each parameter pre-set as you navigate to the proper window. The responses for each window are remembered and filled in when you reach that window, making updates easier. Figure 62 illustrates the winfo.txt file for the download_logon custom HTML file. Figure 62. The winfo.txt file Important You could change parameters using an ASCII editor in the winfo.txt and params.txt files, but be aware that there are interdependencies between parameters in the different files. Also, there is a version number in the files counting up the times you have updated the configuration using the Deployment Wizard. It is safe to always use the Deployment Wizard to update a configuration. You might not be able to open a configuration with the Deployment Wizard once you have manually changed one of the files. Chapter 6. Deployment Wizard 135

152 cfgx.cf files For every session that was defined on the Host Sessions window (see Figure 55 on page 125), a separate configuration file is created. The names of these files are cfg0.cf for the first session, cfg1.cf for the second, cfg2.cf for the third, and so on. The Host Sessions window allows you to create more than 26 sessions; of course only 26 of those can be started in parallel. Refer to Appendix B, Sample session configuration file on page 267 for a sample session s configuration file of this scenario. Figure 63. Customized files for cached client not using configuration server For a sample configuration file and general description refer to Appendix B, Sample session configuration file on page Tips and hints When working with the Deployment Wizard we have seen several anomalies: If you create a configuration that defines sessions within the HTML, and select the Restart button to start a new configuration, the Deployment Wizard may not forget the previously defined sessions and may create configuration files for those previously defined sessions in addition to the sessions you define. We recommend that you exit the Deployment Wizard after each newly customized HTML page. The winfo.txt file will have no reference to these added configuration files, so subsequent editing of the customized HTML page will not remove them. If you start the Deployment Wizard on the server to update an existing configuration that has one or multiple sessions defined and this configuration s HTML page has been referenced by a user, some session configuration files might be deleted when the updated HTML page is created. You can avoid that situation by either stopping the Web server or use the stand-alone Deployment Wizard, creating the zip file, and extracting and copying the files into the productive library structure. 136 IBM WebSphere Host On-Demand: Version 5 Enhancements

153 If a user is allowed to modify any configuration setting, such as keyboard map, color, macros, etc., and is allowed to save them locally, there is an exposure of these settings being overwritten. When the custom HTML page is loaded from the server the params.txt file is loaded from the server and the FileSelectorPanel.version line is checked against that line in the client copy of the params.txt file. If the version number is higher on the one obtained from the server, then the configuration files, cfgx.cf, on the client workstation are erased and replaced with the versions on the server. Simply loading the custom file into the Deployment Wizard and paging through the panels will modify the FileSelectorPanel.version line in the params.txt file even if no changes are made. Great care must be taken when this model is used. 6.6 Distributing custom HTML pages Once the custom HTML pages have been created they need to be distributed to the production server. The process is rather straightforward. In general you should FTP, or otherwise transfer all the files created, maintaining the relative directory structure. All files and directories are case sensitive on all environments; therefore, make sure you transfer files and maintain case. On UNIX and OS/390 systems the permissions of the files must be set to 666. A sample command is chgmod 666 *.html There are some special considerations when transferring to an OS/390 system OS/390 considerations When transferring files to your OS/390 system, there are two very important rules you must follow in addition to the rules already discussed above. Client browsers operate in ASCII, and all the text files generated by the Deployment Wizard are in ASCII. However, the MVS system is an EBCDIC system, and as such when text files are FTPed from an ASCII system to MVS they will be, by default, translated to EBCDIC. This would create many problems, so to resolve the problem you must transfer the three text files, params.txt, custom.html, and Autocustom.html, to the MVS system in binary and add the.ascii extension to the end of the file name in the process. By adding the.ascii extension we tell the MVS system that the data is already in ASCII format and not to try to translate it when serving it to a client. Below are the FTP commands that would be used to FTP these files to the MVS System. Chapter 6. Deployment Wizard 137

154 Assume that we have an FTP connection and that local directory is positioned in the directory containing the HTML files, and the remote system is positioned in the server s published directory. Comments are shown in italics and not meant to be entered. bin set the FTP mode to binary put custom.html custom.html.ascii put Autocustom.html Autocustom.htm.ascii cd HODData change the remote directory mkdir custom create the target directory cd custom change to the target remote directory put params.txt params.txt.ascii 138 IBM WebSphere Host On-Demand: Version 5 Enhancements

155 Chapter 7. Native authentication User ID and password management has become an ever-increasing issue for users as the number of systems and applications that require authentication continue to grow. In order to save a user s preferences at the Host On-Demand server, a user ID is required to uniquely identify the user. This ID is used as the index under which the user s preferences are stored in the repository. Host On-Demand does not require passwords to be implemented with the user ID; however, most customers implement a password for an additional level of identification. Because of the platform-independent nature of Host On-Demand, this user ID and password management as implemented by Host On-Demand is independent of any other user ID and password management system. Host On-Demand Version 5 still requires the administrator to define and manage user IDs when a registered user model is implemented, but with the introduction of the native authentication component we allow the administrator to associate the Host On-Demand user ID with a user ID and password on the native operating system. The native platform authentication service allows users to log on to Host On-Demand using the same password as they would to log on to the operating system (Windows NT, AIX or OS/390) where Host On-Demand is active. When a user logs on to Host On-Demand, their password is validated against the system password, rather than a separate Host On-Demand password, thus providing the customer with the following benefits: Reducing the number of passwords that the end user must remember. In many cases this means that the user will have only one password to remember. Better security, and a reduction in the administrative workload for the Host On-Demand administrator by delegating password management to an administrative system that can implement a password management policy that typically includes: - Enforcement of password rules - Enforcement of password expiration times - Ability to revoke access by invalidating a password Copyright IBM Corp

156 Client 1 HOD Service Manager (Java code) N ative Interface ("C " code) 3 4 jo h n s m ith pw=nativepw O.S. (native) data 2 js m ith pw=hodpw native=yes na tive ID = johnsm ith... Figure 64. Native authentication login flow When a user logs on (1), the user ID and password are sent to the Host On-Demand Service Manager. The Service Manager sends a request for logon information about the user to the LDAP server (2). The LDAP server returns a message indicating if the user is configured for native authentication. If the user is not configured for native authentication the password stored in the LDAP directory server is returned to the Service Manager. If the user is configured for native authentication the native ID stored in the LDAP directory is returned along with an indicator that native authentication should be invoked. The Service Manager checks the returning information from the LDAP directory server. If the user is configured to use native authentication, the Service Manager sends the user ID and the password to be authenticated to a Host On-Demand module written in C and compiled for the specific operating system (3). That module will invoke the appropriate native operating system security call to validate the user ID and password combination (4). If the user is not configured for native authentication, the Service Manager compares the password that was entered by the user with the password returned by the LDAP server. If the user ID and password are successfully validated by the operating system, processing continues. All other returns will result in an invalid password error message as shown in Figure 65 on page 141. Other than a legitimately invalid password, one of the most common reasons for this return message will be an expired password. There is no mechanism within Host On-Demand to intercept an expired password and prompt for a new one. The user will be required to correct this condition via a some other interface and then log on again to Host On-Demand. 140 IBM WebSphere Host On-Demand: Version 5 Enhancements

157 Figure 65. Native authentication failure 7.1 Native platform authentication requirements Native platform authentication service must be installed on a Windows NT, AIX, or OS/390 Host On-Demand server. On Windows NT, native platform authentication requires Windows NT Server or Windows Advanced NT Server (LANMAN) with a non-null domain. The native authentication function is not supported on Window 2000 Server in the initial release of Host On-Demand. On the Host On-Demand server, LDAP directory services must be enabled and configured for native authentication individually for each user that is to use native authentication, refer to 5.5, Native platform authentication on page 95. The LDAP directory server may reside anywhere in the network and may run on any platform. Follow the steps below to use native platform authentication with Host On-Demand: 1. Enable Windows NT users for native authentication. 2. Start the native platform authentication service. 3. Configure current users for native authentication. 7.2 Installation and activation of native authentication service The files to support native platform authentication are installed with the Host On-Demand server during the installation process. With Windows NT some additional installation steps are required as defined below Windows NT The operating system must be Windows NT Server or LANMAN. Windows NT Workstation and Windows 2000 will not work. Chapter 7. Native authentication 141

158 On Windows NT, native authentication runs as a service, IBM ODS Platform Authentication Service Update the registry On Windows NT, the following additional steps are required to update the registry: 1. Use regedit to locate the following registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\IBM\GSK\CurrentVersion\LibPath Copy the value for this entry, for example c:\programfiles\ibm\gsk\lib, and add it to the path system variable. System variables can be edited using the Environment tab of the System icon in the Control Panel. 2. Define a new environment variable, hod_dir, and set its value to the drive letter where Host On-Demand is installed. The hod_dir environment variable is used by the registry settings to locate HOD. To update the variable, select Start -> Settings -> System, select the Environment tab, and add a system variable hod_dir=x:, where x is the drive where HOD is installed. It must be a system variable, not a user variable, so that the services can use it. 3. Using Windows NT Explorer, locate the odsrapd.reg file in the Host On-Demand bin directory, and double-click the file to add the registry settings defined in the file. Important There will be two odsrapd files, odsrapd.exe and odsrapd.reg. Make sure you are selecting the odsrapd.reg file verifying that the type attribute is Registration Entries not Application. 4. Using regedit, find the registry value for: HKEY_LOCAL_MACHINE\SOFTWARE\IBM\On-Demand Server for Windows NT\2.0\installpath Edit the installpath value so that %hod_dir% is replaced with the drive letter where Host On-Demand is installed. For example, if Host On-Demand is installed on the d drive, change: %hod_dir%\hostondemand\private to d:\hostondemand\private 5. Reboot the server. 142 IBM WebSphere Host On-Demand: Version 5 Enhancements

159 Once you reboot, you can go to the Services panel by clicking Start -> Settings -> Services, and you should see the IBM ODS Platform Authentication Service showing as started Set user rights policies The final step is to set the proper User Rights in the Policies section of the User Manager. To set the correct user rights in the Windows NT system follow these instructions: 1. Open the User Manager on Windows NT. This is normally found under: Start > Programs -> Administrative Tools (Common) -> User Manager. Figure 66. Windows NT User Manager 2. Click Policies > User Rights from the menu bar of the User Manager. 3. Check Show Advanced User Rights. 4. In the Right field, select Log on as a batch job. Chapter 7. Native authentication 143

160 Figure 67. Advanced user rights 5. Click Add. 6. Select, from the Names field, users who will be using native platform authentication and click Add. To add members of a group, select the group and click Members. As you add users, the users' names are displayed in the Add Names field. We recommend that you either allow the group of all users, Everyone, or create a group, such as Host On-Demand, and include all Host On-Demand users in this group. Figure 68. Adding authorized users 7. When you are finished adding users, click OK to close the Add Users and Groups window and save your changes. 8. Click OK to close the User Rights Policy dialog. 144 IBM WebSphere Host On-Demand: Version 5 Enhancements

161 You can now exit the User Manager. All users that were granted the right to log on as a batch job can be authenticated using the native platform authentication service. The native platform authentication service is started from the Windows NT Services menu. By default, this service is set to start automatically OS/390 The native authentication code runs as a separate executable module called HODRAPD, which is invoked using the hodrapd.sh script. The HODRAPD module is installed during SMP/E CALLLIBS processing and it is automatically link-edited during the JCLIN CALLLIBS processing in the APPLY process. When the Native Platform Authentication Service is started from UNIX System Services (USS), the HODRAPD module is executed from SYS1.LINKLIB or your alternate LINKLIB data set. If you choose to move the HODRAPD module to an alternate LINKLIB data set, that data set must be accessed by the system LNKLST or LPALIB. During installation of Host On-Demand Version 5, the hod50mvs.sh shell script not only untars the Host On-Demand Version 5 product, it also creates the necessary link so that when the user starts native authentication with hodrapd.sh, the HODRAPD load module is executed. The native authentication code logs its messages to the syslog, which may need to be configured to log the desired level of messages. The hodrapd module writes its messages to the user.* entry in the syslog file. To start the native authentication code, run hodrapd.sh (located in the /usr/lpp/hod directory). The shell script must be started by a user with root authority. It is recommended that you start HODRAPD from the console rather than from an OMVS session. The following is a sample procedure used by ITSO to start HODRAPD: Chapter 7. Native authentication 145

162 ********************************* Top of Data ********************************** //HODRAPD PROC //* HOST ON DEMAND VERSION 5 - Golden Master - 8/24/2000 //HODSRVG EXEC PGM=BPXBATCH,REGION=0M,TIME=NOLIMIT, // PARM='sh /usr/lpp/hod/hodrapd.sh' //SYSPRINT DD SYSOUT=A //SYSERR DD SYSOUT=A //SYSOUT DD SYSOUT=A //STDENV DD DSN=TCPIP.TCPPARMS(HODENV),DISP=SHR //SYSIN DD DUMMY //STDOUT DD PATH='/tmp/HODRAPD.stdout', // PATHOPTS=(OWRONLY,OCREAT,OTRUNC), // PATHMODE=SIRWXU //STDERR DD PATH='/tmp/HODRAPD.stderr', // PATHOPTS=(OWRONLY,OCREAT,OTRUNC), // PATHMODE=SIRWXU ******************************** Bottom of Data ******************************** After starting the service you should verify that it started correctly by checking the syslog for a starting message from odsrapd. If you installed using the examples provided in this book the message will be in the file rapd.out. Alternatively, you may verify that the service started. You can check the MVS console for a starting message, or you can run the following command: netstat -a Look for the user ID that has a local socket = value, where the user ID is the user who started the process AIX To start the program, a user with root authority must execute the shell script odsrapd.sh, which is located in the directory: /usr/opt/hostondemand/bin. The syntax for the start is as follows: odsrapd.sh [parameters] Where the parameters are as follows: -l Enables logging. You can also specify -L, /l, or /L. Note: Native authentication code logs its messages to the syslog, which may need to be configured to log the desired level of messages. -txx 146 IBM WebSphere Host On-Demand: Version 5 Enhancements

163 Sets the socket time-out to some other value instead of the default 20 seconds. You can also specify -T, /t, or /T. xx is the new time-out value. -cxx Specifies the number of requests the server will allow. You can also specify -C, /c, or /C. xx is the new number of requests the server will handle. The native authentication code uses the syslog to logs its messages. If you do not already have one defined you may need to configure one in order to log the desired level of messages. One of the key prerequisites is that the log must exist prior to odsrapd trying to access it. The syslog can be configured to report any level of message desired, but initially it is best to get all levels (debug). Once everything is working well, you can restrict the message reporting to just errors (crit). Modifying syslog information will require root authority. Adding the following line to the end of the /etc/syslog.conf file will log all messages to /etc/hod/rapd.out. user.debug/etc/hod/rapd.out The syslog daemon will not log the messages if the file does not exist; therefore, you must create the rapd.out, if it does not already exist. Finally, stop and restart syslogd so that it reads its new configuration file. Before you run the shell script for the first time, you will need to change the permissions on both the odsrapd.sh shell script and the odsrapd executable. You should verify that the native authentication code started correctly by checking the syslog for a starting message from odsrapd. This message will be in the file rapd.out if you used the sample provided here Debug information If you have problems getting native authentication working you will need the following information to assist in debugging the problem: System type User s Host On-Demand and native user IDs User s error message Host On-Demand Service Manager trace with level 3 debug messages Native authentication logged messages (syslog messages on AIX and OS/390), or the event viewer application log for Windows NT. Chapter 7. Native authentication 147

164 148 IBM WebSphere Host On-Demand: Version 5 Enhancements

165 Chapter 8. Configuration servlet The traditional technique for retrieving and saving user preferences is for the Host On-Demand client to talk directly to the Host On-Demand configuration server via a predefined port, 8999 by default. Although efficient, it has two drawbacks when used in an environment that demands security: 1. It requires an additional port to be opened through a firewall. 2. The data is not encrypted, it flows in the clear. To resolve these issues, Host On-Demand Version 5 introduced a servlet to tunnel the configuration information between the client and the servlet over an HTTP(S) connection, and then to pass that information on to the Host On-Demand configuration server of choice over the defined configuration port. This resolves both of the above-mentioned issues by using the existing HTTP(S) port already open through the firewall, and the encryption of the data by using HTTPS. The implementation of the configuration servlet requires either a Web server that can manage servlets, such as Lotus Domino Go Server, or a Web application server such as WebSphere Application Server. There are many products that are capable of running the configuration servlet, and the configuration procedure for each is different. However, we will provide a procedure for configuring the IBM WebSphere Application Server Version 3.5 running on Windows NT. If you are using a different release level of WebSphere Application Server the panels and navigation instructions will be different. 8.1 Configuring WebSphere Application Server WebSphere Application Server installs a default servlet engine. We provide an example of how to install the configuration servlet using the graphical interface on a Windows platform, and how to install the servlet using the XMLConfig batch utility that was introduced with WebSphere Application Server (WAS) V3.5. The graphical interface scenario will show how to install the configuration servlet running under the default servlet engine. For the scenario using the XMLConfig batch, we provide a sample that defines a new application to host the configuration servlet in addition to using the default application. Copyright IBM Corp

166 8.1.1 IBM WebSphere graphical configuration Open the WebSphere Administrator's Console by clicking Start -> Programs -> IBM WebSphere -> Application Server V3.5 ->Administrator's Console. Once the Administrator's Console is up, you will see an icon that contains the name of your server. This is your node name. You must expand that tree by clicking on the + sign and then expand the Default Server and the Default Servlet Engine icons Set WebSphere alias A WebSphere Application Server can provide a platform for multiple hosts. Each of these hosts is represented by a virtual host name and a list of one or more DNS aliases by which it is known. When a servlet request is made, the server name and port number component of the URL is compared to a list of all known aliases in an effort to locate the correct virtual host and serve the servlet. If no match is found, an error is returned to the browser. When no port number is specified in the URL, port 80 is assumed. If you will use any port other than port 80, including port 443 for HTTPS, you must add an alias statement with that port number specified. There are several conditions that may not be obvious that will require you to add an alias: If your URL specifies a port number, then you must define an alias that includes the port number. If you will use HTTPS to connect with your WAS server, you must define an alias with the port number that HTTPS is using, even if you are using the default port of 443. If your Web server is host for multiple IP addresses, each IP address must have an alias and appropriate port number(s), Let us illustrate with the following as shown in Figure 69. Assume the Web server has two network cards and two addresses (meaning two virtual hosts) and either address may use HTTP and HTTPS, the internal address is (bigtex.itso.ral.ibm.com), and the external address is IBM WebSphere Host On-Demand: Version 5 Enhancements

167 Internet Firewall Web server WebSphere Host On-Demand intranet bigtex.itso.ral.ibm.com Figure 69. WebSphere alias environment Table 10 illustrates the required alias rules. Table 10. WebSphere alias examples Reference URL (usable only from the WebSphere machine) (usable from the WebSphere machine) Required alias localhost bigtex.itso.ral.ibm.com bigtex.itso.ral.ibm.com:443 bigtex bigtex: :443 Chapter 8. Configuration servlet 151

168 If the Web server is properly configured for all the connections and ports prior to the installation of the WebSphere Application Server, the WebSphere Application Server will add all the appropriate aliases; however, if anything changes, you must update the aliases manually. To set the required aliases you must first select default_host then select the Advanced tab as shown in Figure 70. Next, scroll down to an empty alias field and from here enter the required alias. Repeat this process until all aliases are entered, then press Apply. Figure 70. WebSphere default_app alias Adding the classpath You must now add an entry to the classpath for the application that hosts the configuration servlet, default_app in this example. Select the default_app entry in the left-hand pane, then select the Advanced tab from the resulting right-hand pane (see Figure 71). 152 IBM WebSphere Host On-Demand: Version 5 Enhancements

169 Figure 71. Select default application You will see a frame called Classpath. This is where you will add the location of the cfgsrvlt.jar file. Select one of the empty entry boxes under Classpath and type the location of the cfgsrvlt.jar file, for example C:\hostondemand\lib\cfgsrvlt.jar. You must click the Apply button to update the classpath Adding the servlet The next step is to add the Host On-Demand configuration servlet, so select the default application using the right mouse button to display the context menu. From that menu select Create to display the next context menu where you then select Servlet (see Figure 72). Chapter 8. Configuration servlet 153

170 Figure 72. Create servlet, step 1 The resulting window is shown in Figure 73. On this window there are three required fields and one optional field: Servlet Name: the name of the servlet as it will be known to WebSphere (required). Web Application: the name of the Web application will be displayed (required). Description: a textual description of the servlet, for example Host On-Demand configuration servlet (optional, but recommended). Servlet Class Name: the full name of the class for this servlet. This is a required field and the value must be com.ibm.enetwork.hodutil.services.remote.hodcfgservlet; Servlet Web path list: the string that will be used in the URL to identify the servlet. The servlet name may be any name you wish to use in your URLs, we used HODConfig. The Description field is optional and is used only as comments. The Servlet Class Name field is critical and must be specified exactly. It is 154 IBM WebSphere Host On-Demand: Version 5 Enhancements

171 recommended that you cut and paste it directly from the help file. The value is com.ibm.enetwork.hodutil.services.remote.hodcfgservlet. Figure 73. Create servlet, step 2 Lastly, you must click the Add button, which will display the Add Web Path to Servlet window (see Figure 74). Here you enter the alias of this servlet, for example /servlet/hodconfig. Note the complete string: /servlet/hodconfig This will be the value that must be specified in the URL when accessing the configuration servlet. To leave this window select the OK button to return to the previous window (Figure 73) where you must then click the OK button. Chapter 8. Configuration servlet 155

172 Figure 74. Create servlet, step 3 Upon return to the main Create Servlet panel you must select the Advanced tab. This will display the panel shown in Figure 75 into which you may specify the parameters as described in Table 11 on page 157. These parameters are optional. You need to specify them only if they differ from the defaults shown in Table 11. It is recommended that you specify at least the ConfigServer, ConfigServerPort, and the ShowStats parameters as shown in Figure 75. Figure 75. Servlet parameters Specifying the ShowStats as true is recommended so that you can easily verify if the servlet is working properly before deploying the servlet. Once all windows are completed, select the Finished button. 156 IBM WebSphere Host On-Demand: Version 5 Enhancements

173 The Host On-Demand applets will recognize the following parameters that are specified in the definition of the configuration servlet. Table 11. Configuration servlet parameters Parameter Default Values Description ConfigServer Host name or address of the Host On-Demand configuration server. ConfigServerPort 8999 Port Number of the Host On-Demand configuration server. This must match the port that the target configuration server is listening on. Trace false When set to true, the configuration servlet writes servlet messages to the servlet engine log file, and to the browser when requested, for debugging purposes. ShowStats false When set to true, allows the configuration servlet to return configuration information and statistics to browser requests. To invoke this option specify info as the parameter passed to the applet. See , Testing the servlet on page 158. BufferSize 4096 Size of the buffer to use on buffered input or output streams. PoolSize 5 Size of the buffer or socket pool to maintain. To turn off pooling, set PoolSize to Start the default server To enable the servlet the default server must be stopped and started. To stop the default server highlight it and either click the Stop icon on the toolbar, or click the right mouse button to display the context menu and select Stop. You must wait until you receive the panel, shown in Figure 76, indicating that the server has stopped. This process could take some time. Figure 76. Default server stopped Chapter 8. Configuration servlet 157

174 Select OK to clear the information panel, then start the server by selecting Start from the context menu of the default server. Again, you must wait for the information panel (see Figure 77) for the process to complete. Figure 77. Default server started Testing the servlet After restarting the default server it is recommended that you test the servlet by invoking the ShowStats function. This is done by specifying the following URL from a browser: Using the example just created the URL would look like the following: When successful your browser will return a window similar to that shown in Figure IBM WebSphere Host On-Demand: Version 5 Enhancements

175 Figure 78. Servlet information 8.2 Enabling clients There are two ways to enable a client to use the configuration servlet: 1. Set the ConfigServerURL parameter in the config.properties file. When this parameter is detected in the config.properties file all clients will use this method of communication with the Host On-Demand configuration server. 2. Set the ConfigServerURL parameter in the HTML file used to launch the Host On-Demand client. This technique allows the administrator to specify which clients use the configuration servlet, such as external users, and which clients use the configuration server directly, such as internal users. Chapter 8. Configuration servlet 159

176 8.3 Specifying the location of the configuration servlet There are two ways to specify the location of the configuration servlet, the direct reference and the indirect reference Direct reference The direct reference is a complete URL. It includes the protocol, HTTP or HTTPS. For example, if you specify: you force the applet to use an encrypted HTTP connection to contact the Host On-Demand configuration servlet running on hodserver.raleigh.ibm.com over the default port 443. If this reference is used, the configuration servlet information will flow over an encrypted session even if the URL used to load the Host On-Demand client specified an unencrypted session, for example This technique may also be used to force the login to a machine other than the one used to load the client. Refer to 8.5, Implementation scenarios on page 165 for an example of how this may be used Indirect reference An indirect reference specifies only a path name on the server which launched the Host On-Demand client. Using this method results in the ConfigServerURL being appended to the host portion of the Host On-Demand applet's URL. For example if the configuration servlet reference was: /HOD/HODConfig and the Host On-Demand applet was loaded using the following URL: then the resulting URL used to contact the configuration servlet would be: This method is more flexible, allowing the reference to be used for HTTP and HTTPS connections from a single specification. 160 IBM WebSphere Host On-Demand: Version 5 Enhancements

177 8.4 XMLConfig Utility If you are using WebSphere 3.5 there is a batch utility, XMLConfig, that may be used to add the configuration servlet. This utility is available on all platforms and is located in the \AppServer\bin directory. To use the utility you must create an XML file that defines the changes that you wish to implement. The general syntax is to invoke the utility: XMLConfig -import filename.xml A complete description of how to use the XMLConfig utility may be found in Chapter 21 of the WebSphere V3.5 Handbook, SG The remainder of this section provides sample XML files to add a configuration servlet to the server Add configuration servlet to default_app In this scenario we will configure the configuration servlet to run under the default_app. The objective is to define aliases to allow secure connections to the configuration servlet, and to add the configuration servlet under the default_app. The result will allow you to specify one of the following URLs to access the servlet: /servlet/hodconfig (a relative URL may be used with HTTP or HTTPS) Note that even though the port number is not specified in the URL it is still required in the definition. The XML input file is shown below: <?xml version="1.0"?> <!DOCTYPE websphere-sa-config SYSTEM "$server_root$$dsep$bin$dsep$xmlconfig.dtd" > <websphere-sa-config> <virtual-host name="default_host" action="update"> <alias-list> <alias>localhost</alias> <alias> </alias> <alias>bigtex</alias> <alias>bigtex.itso.ral.ibm.com</alias> <alias> </alias> <alias>bigtex:443</alias> Chapter 8. Configuration servlet 161

178 <alias>bigtex.itso.ral.ibm.com:443</alias> <alias> :443</alias> </alias-list> </virtual-host> <node name="bigtex" action="locate"> <application-server name="default Server" action="locate"> <servlet-engine name="default Servlet Engine" action="locate"> <web-application name="hod" action="create"> <description>host On-Demand</description> <document-root>c:\websphere\appserver\hosts\default_host\hod\web</document-root> <classpath> <path value="c:/websphere/appserver/hosts/default_host/hod/servlets"/> <path value="c:/hostondemand/lib/cfgsrvlt.jar"/> </classpath> <error-page>/errorreporter</error-page> <filter-list/> <group-attributes/> <auto-reload>true</auto-reload> <reload-interval>9000</reload-interval> <enabled>true</enabled> <root-uri>default_host/</root-uri> <shared-context>false</shared-context> <shared-context-jndi-name>srdsrvltctxhome</shared-context-jndi-name> <servlet name="hodconfig" action="create"> <description>configuration Servlet</description> <code>com.ibm.enetwork.hodutil.services.remote.hodcfgservlet</code> <init-parameters> <parameter name="configserverport" value="8998"/> <parameter name="showstats" value="true"/> <parameter name="trace" value="true"/> <parameter name="configserver" value=" "/> </init-parameters> <load-at-startup>false</load-at-startup> <debug-mode>false</debug-mode> <uri-paths> <uri value="/hodconfig"/> <uri value="/hodconfig"/> </uri-paths> <enabled>true</enabled> </servlet> </web-application> </servlet-engine> 162 IBM WebSphere Host On-Demand: Version 5 Enhancements

179 </application-server> </node> </websphere-sa-config> Note It is recommended that you export the existing WebSphere Application Server definition prior to beginning. Next, copy the alias virtual host definitions from the exported file and paste them into your new file and add any additional aliases you require. In our lab environment we discovered that when the XMLConfig utility was run and virtual host aliases were present, XMLConfig did replace the existing definitions with the one specified in the deck, not an update. If the action is updated and the item does not exist, then it will be created Add configuration servlet to new application In this scenario we will define a new application, HOD, to run under the Default Servlet Engine, and to define the configuration servlet to run under the new application, HOD. We also define aliases to allow secure connections to the configuration servlet as we did in the scenario described in 8.4.1, Add configuration servlet to default_app on page 161. The result will be the same except that the URL will be as one of the following: /HOD/HODConfig This scenario we will define a new application, HOD, and configure the configuration servlet to run under the HOD. The procedure is similar to the scenario described in 8.4.1, Add configuration servlet to default_app on page 161. The XML file used is as follows: <?xml version="1.0"?> <!DOCTYPE websphere-sa-config SYSTEM "$server_root$$dsep$bin$dsep$xmlconfig.dtd" > <websphere-sa-config> <virtual-host name="default_host" action="update"> <alias-list> <alias>localhost</alias> Chapter 8. Configuration servlet 163

180 <alias> </alias> <alias>bigtex</alias> <alias>bigtex.itso.ral.ibm.com</alias> <alias> </alias> <alias>localhost:443</alias> <alias> :443</alias> <alias>bigtex:443</alias> <alias>bigtex.itso.ral.ibm.com:443</alias> <alias> :443</alias> </alias-list> </virtual-host> <node name="bigtex" action="locate"> <application-server name="default Server" action="locate"> <servlet-engine name="default Servlet Engine" action="locate"> <web-application name="hod" action="update"> <description>host On-Demand</description> <document-root>c:\websphere\appserver\hosts\default_host\hod\web</document-root> <classpath> <path value="c:/websphere/appserver/hosts/default_host/hod/servlets"/> <path value="c:/hostondemand/lib/cfgsrvlt.jar"/> </classpath> <error-page></error-page> <filter-list/> <group-attributes/> <auto-reload>true</auto-reload> <reload-interval>9000</reload-interval> <enabled>true</enabled> <root-uri>default_host/hod</root-uri> <shared-context>false</shared-context> <shared-context-jndi-name>srdsrvltctxhome</shared-context-jndi-name> <servlet name="hodconfig" action="update"> <description>hod Configuration Servlet</description> <code>com.ibm.enetwork.hodutil.services.remote.hodcfgservlet</code> <init-parameters> <parameter name="configserverport" value="8998"/> <parameter name="showstats" value="true"/> <parameter name="configserver" value=" "/> <parameter name="trace" value="true"/> </init-parameters> <load-at-startup>false</load-at-startup> <debug-mode>false</debug-mode> <uri-paths> <uri value="/hodconfig"/> <uri value="/hodconfig"/> 164 IBM WebSphere Host On-Demand: Version 5 Enhancements

181 </uri-paths> <enabled>true</enabled> </servlet> </web-application> </servlet-engine> </application-server> </node> </websphere-sa-config> 8.5 Implementation scenarios In addition to the obvious use with firewalls, the configuration servlet opens other new ways to deploy Host On-Demand and solve some very difficult issues. We will explore only two Load balancing Let us assume that a company wants to deploy Host On-Demand using a redundant, highly available solution, and also wishes to use the registered user model. In prior releases only one option was available for them: to implement an LDAP directory server to house all user IDs and preferences for all servers, thus providing central management. With Version 5 an additional option is available: to deploy the configuration servlet and route all login requests to a central system, such as the OS/390, and maintain the information in the Host On-Demand native data store. In this example the customer would have two or more Web servers configured in a redundant load balancing configuration, or the simply two or more servers in physically separate locations providing alternate access points. In either case the servers would be configured identically with the following components: A Web server A Host On-Demand server A configuration servlet running on a Web server that support servlets, Lotus Domino Go Web Server, WebSphere Application Server, or some other Web application server. The servlet would be configured to route all requests to a centralized third server. See Figure 78 on page 159. The distributed Host On-Demand systems would not be configured to accept client login requests. Instead they would deploy the configuration servlet, which would route the login requests to the OS/390 based Host On-Demand system, or some other system that processes user login requests. The advantage of this scenario is that all the distributed Host On-Demand servers Chapter 8. Configuration servlet 165

182 could be exact clones of one another, and an LDAP directory server would not be required, while still allowing all login processing to be centralized. The remote Host On-Demand servers would be optimized for Web serving exclusively and any platform, or combination of platforms, could be used Native authentication Let s assume the same scenario as described above, but now add the requirement that all users must use their RACF user ID and password. The only modification to the previous scenario would be to deploy native authentication on the OS/390 system. Refer to Chapter 7, Native authentication on page 139 for details on how to configure that system. The result would be that regardless of the platform(s) chosen to deploy distributed IBM WebSphere Host On-Demand servers, all users logging in would do so on the same system. HOD Servers A B Load balancing HTTP(S) Port 8999 HOD Server C Client HTTP(S) applet download HTTP(S) Log in Network Port 8999 OS390 Figure 79. Servlet with native authentication 8.6 Problem determination You can access trace, configuration and statistic information from the configuration servlet for debugging purposes. To access trace information you need to set the Trace parameter to true for the configuration servlet. To view the trace, load the following URL into your browser: The configuration servlet's trace information will be displayed in the browser and written to the servlet engine's log file. 166 IBM WebSphere Host On-Demand: Version 5 Enhancements

183 Chapter 9. Express logon Many of the commonly used interfaces to automatically log on users to host applications expose RACF passwords and introduce the risk of severe security breaches. Such techniques include: Storing passwords in server databases Storing user IDs and passwords in cookies Including user IDs and password in URLs The express logon feature provides an extremely secure method for automating the log on process. The express logon feature allows a user to log on to System/390 host applications without having to type in a user ID and a password. The users need not memorize user ID(s) for the different host applications they are authorized to use. What they will need instead is a client certificate that is used to identify them and to check if the have been authorized for the specific application they are trying to access. This then effectively eliminates the possible security risk of users selecting trivial passwords or writing down passwords and even leaving them on their desks. Integrating 3270 host access into, for example, Web portals will be easier to implement because express logon makes the process of logging on to host applications more consistent with the user authentication used for accessing other Web applications. 9.1 Overview In order to use the express logon feature, the user, or the administrator, must record a Host On-Demand macro containing the express logon support. This macro then either can be automatically started when the host connection is established, or the user selects the application he wants to log on to by starting the macro that was recorded for logging on to that application. Instead of a user ID and a password, the macro contains placeholder variables for user ID and password, which are replaced by the TN3270 server with the user s actual user ID and a PassTicket before the log on request is forwarded to the application. That means, that the user will not even be able to see the user ID used for his log on to the host application. The user ID and PassTicket are only seen by RACF and the Telnet server, and are passed between them over a secure connection. The technique of using variables for user ID and password in the log on macro then makes it possible to automate the host application log on, and Copyright IBM Corp

184 use the same macro for all users of a given application. Some possible scenarios are: The administrator configures individual user accounts and sets up sessions with log on macros for all major applications that can be started by the user. The administrator configures a general-use user account with a session for every major application, set up to automatically start the express logon macro for that application. The administrator uses the Deployment Wizard to customize an HTML page that automatically launches a host connection and starts the log on macro in order to navigate the user directly to the start point in his application. In this scenario, the user does not have to enter any user ID or password (except, maybe, to connect to the Web server). HOD Client S/390 Application Server CS/390 R10 DCAS RACF TCP/IP SNA SSL SSL CS/AIX CS/NT CS/2 Web/HOD Server TN3270 Server Figure 80. Express logon overview The express logon feature has been implemented using a three-tier client-server approach. Figure 80 gives an overview of the different components needed to implement the express logon feature and the types of network connections used for information exchange between those components. The Host On-Demand client downloads its code from the Host On-Demand server and establishes a TN3270 connection to its TN IBM WebSphere Host On-Demand: Version 5 Enhancements

185 server requesting SSL and client authentication. Any workstation capable of activating this type of Host On-Demand Version 5 client is supported. The TN3270 server communicates over TCP/IP with the Digital Certificate Access Server (DCAS) function of Communications Server for OS/390 to request a user ID and password and establishes the LU-LU session to the host application over SNA. DCAS uses RACF to retrieve the user ID that is associated with the client s certificate and to generate a PassTicket that is used when logging on to the host application. DCAS is a new function of Communications Server for OS/390 that was enabled with APAR PQ The PassTicket is used by the express logon facility instead of a normal password. The PassTicket is randomly generated using a well-known algorithm, refer to 9.5, The RACF-secured sign-on PassTicket on page 173, and is valid only for ten minutes. If for any reason the time between generating a PassTicket and its use in the application s log on processing exceeds this time period, the log on will fail and the user must try again. 9.2 System requirements At the time of the writing of this book only IBM products support the express logon feature. An OS/390 V2R10 MVS system is required with the following components: Communications Server for OS/390 V2R10 plus PTF PQ41276 Provides SNA and TCP/IP transport, and the Digital Certificate Access Server (DCAS) which supports the express logon feature by interfacing to the TN3270 servers and RACF. Security Server for OS/390 V2R10 (RACF) Provides general security services and services for digital certificates and PassTickets. RACF APAR OW44393 is required when using one of the following: - TSO with Generic Resources and PTKTDATA Class profiles. - Applications with shared user IDs that could access the application simultaneously. RACF requires the PTKTDATA profile to specify APPLDATA( NO REPLAY PROTECTION ) One of the following TN3270 servers is required as the middle-tier server: Communications Server for AIX V with APAR IY12323 Chapter 9. Express logon 169

186 Communications Server for OS/2, V6.1 Communications Server for NT and Windows 2000, V Application requirements In order for an application to be accessed using the express logon feature, it must satisfy the following requirements: The target application must utilize RACF services for end-user log in. One of the following configurations must be in place for the express logon environment: - The target application must reside on the same host as the DCAS and RACF servers. - A shared RACF environment across multiple hosts must be in place for each host on which any target applications reside, as well as the host where DCAS and RACF are running. - A PassTicket data class profile (PTKTDATA) must be defined on each target RACF system (that is, the host where DCAS is running, and any host where RACF and a target application is located). Any application that uses RACF for log on validation should be a candidate for setting up to use the express logon feature. The following SNA applications have been tested successfully: TSO CICS IMS Tivoli NetView for OS/ Functional description A host session supporting express logon can be started for any type of client; it may be a cached or a download client, it may use the configuration server, (that is, the session definitions are retrieved from the Host On-Demand server using a user ID and password), or a customized HTML page with all session definitions having been created using the Deployment Wizard. The functional flows for logging on to an host application are identical for all types of clients set up for using the express logon facility. Figure 81 shows the different functions involved and the information flows between those functions: 170 IBM WebSphere Host On-Demand: Version 5 Enhancements

187 1. The user references a Host On-Demand HTML page that downloads the Host On-Demand code (or loads the cached client from its local disk) and starts an emulator session. The session definitions are being retrieved either from Host On-Demand s configuration server or directly from the HTML page referenced. The session definitions must specify that this session uses SSL encryption with client authentication and an express logon macro must be available to the user. 2. The certificate file is unlocked with a PIN and the user s (X.509) certificate is retrieved to be used during the SSL handshake flows. 3. The Host On-Demand client starts a TN3270 connection to its TN3270 server requesting SSL encryption with client authentication using an X.509 certificate. The certificate is sent to the TN3270 server and, after having been validated, is saved for later reference at the TN3270 server for this session. During the Telnet function negotiation, the express logon facility (ELF) is agreed upon using the handshake protocol described in RFC User 1 4 Macro Emulator 2 Certificate Workstation 3 5 TN3270 Server Communications Server 6 Certificate Applid User ID Passticket 9 8 DCAS 7 RACF 10 Application Host Figure 81. Express logon information flow 4. A macro recorded for this session supporting the express logon facility is started either explicitly by the user or automatically when the host connection is initialized. Before recording the macro, an application ID had to be specified for this macro. This application ID must be the name under which the destination application is known to RACF on the application host. Chapter 9. Express logon 171

188 5. The application ID is sent to the TN3270 server using the Telnet handshake protocol in order to make the TN3270 server aware of which application the user intends to connect to using an express logon macro. The log on macro is then played and eventually the host application sends the screen(s) designed to prompt for user ID and password (can be on different screens). Instead of filling in a previously recorded user ID and password or prompting the user to provide them in a separate window (as normal macro processing would be), the macro inserts placeholder strings into the fields for user ID and password ($USR.ID$ and $PSS.WD$, respectively). The TN3270 server intercepts the screens prompting for user ID and password until it can replace the placeholder strings with a valid user ID and password. 6. If this is the first user requesting assistance for the express logon facility the TN3270 server establishes a secure and trusted TCP/IP connection to its configured Digital Certificate Access Server using SSL V3 for encrypting the data exchange flows. If this connection has already been established for an earlier request the existing connection is used. On this connection, the TN3270 server sends a request for a user ID and PassTicket providing the destination application ID and the user s certificate (that was saved for this session during connection establishment). 7. DCAS is a function of Communications Server for OS/390 and interacts with RACF on the S/390 host to verify the validity of the user s certificate. Only certificates for which a user ID has been defined are accepted. If the certificate s associated user ID is, in addition, authorized to access the requested application a PassTicket is generated and, together with the user ID, returned to DCAS. 8. The user ID and PassTicket are sent to the TN3270 server over the secure (SSL-encrypted) TCP/IP connection in response to the previous request. 9. The TN3270 server then replaces the placeholder variable for the user ID ($USR.ID$) on the withheld host log on screen and releases the screen for transmission also over the SNA LU-LU session towards the host application. It subsequently replaces the placeholder variable ($PSS.WD$) for the password with the PassTicket when the host screen requesting the password shows up, if it is not already replaced on the primary log on screen together with the user ID. 10.The host application presents the user ID and PassTicket (received in the 3270 data stream) to RACF in order to check if the user is authorized to log on to this application. The PassTicket should still be valid (unless you 172 IBM WebSphere Host On-Demand: Version 5 Enhancements

189 have severe performance problems in your system) and RACF will hence grant access to the application. Once the express logon macro successfully ends processing, users will see exactly the same application screen as if they had manually logged on or used a traditional macro that prompts for user ID and/or password. If a user has finished their task using the host application they may log off manually or using a previously recorded macro. They are then free to start a macro (with or without express logon support) to initialize a session with the same or another host application. 9.5 The RACF-secured sign-on PassTicket RACF provides an alternative to the normal RACF password that remains the same for a specified time period (usually several weeks) until the user is prompted to enter a new password. The RACF PassTicket is a password generated dynamically on request from a product or function to be used only once. Using PassTickets removes the need to repeatedly send RACF passwords across the network as clear text in the 3270 data stream. Of course, the 8-byte alphanumeric string of a PassTicket will not be encrypted on a normal 3270 session data stream. But anybody trying to use a PassTicket that he has recorded (by whichever means) will have only limited success. A PassTicket expires within 10 minutes. Express logon enforces encryption only on the Telnet part of the data flows. The LU-LU session may use normal SNA encryption, but this is not required. The algorithm used to generate a PassTicket requires as input: The RACF user ID that identifies the user on the system on which the target application runs. The application name as defined for the target application. The RACF secured sign-on application key used as the encryption key by the DES algorithm that is called several times during the process of generating the PassTicket. Time and date information in the form of a 4-byte number representing the number of seconds that have elapsed since January 1, 1970, at 0000 Greenwich Mean Time (GMT). The RACF PassTicket generator algorithm uses cryptographic techniques to generate from the input information an 8-byte alphanumeric string and ensures that each PassTicket is unpredictable and unique. This algorithm is Chapter 9. Express logon 173

190 described in detail in OS/390 Security Server (RACF) Macros and Interfaces, SC Configuring the client Before you can start recording a macro using the express logon facility you have to define a session that is able to provide express logon support. When recording the macro, the session definitions are not checked, that is, you can record a macro for express logon support that might not work correctly when played. The session must be configured for SSL and client authentication. A client certificate must have been installed on the client or must be accessible from a server. The destination IP address must specify a server that has been set up to support the express logon facility. If the connection to the TN3270 server is through an Host On-Demand Redirector, the security option for the Redirector must be set to Pass-through. The TN3270 server (not the Redirector) has to do the SSL handshake protocol with the client and has to get the client certificate for later user during express logon and, consequently, has to do the client authentication Recording the macro - basic definitions Recording the macro is started the normal way by clicking the Record macro button on the session window s tool bar or by clicking Actions -> Record Macro. The session itself may have been started from a client by logging in as a user and then opening the intended session window. You may also record an express logon macro as an administrator customizing an HTML page that, when referenced, automatically opens the session window, starts the macro, logs the user on to his host application, and navigates the user to the applications start screen. 174 IBM WebSphere Host On-Demand: Version 5 Enhancements

191 Figure 82. Recording the express logon macro - getting started Figure 82 shows the sequence of the first three windows that appear when you start recording an express logon macro. On the first window you have to specify the name of the new macro (of course, you may also append to or overwrite an existing macro). Mark the Express Logon Feature check box to indicate that you want to use express logon. Clicking the OK button causes the second window in Figure 82 to appear, prompting you to enter the application ID of the application you want to log on to using this macro. This is name of the application under which it has been defined to RACF on the OS/390 host. Chapter 9. Express logon 175

192 Pick the right application What you have to enter as the application ID is the LU name of the application as defined in VTAM and to RACF. This name might (and in most installations will) be different from what you enter when VTAM prompts you with an USSMSG10. What you enter there in most cases is an USS log on command that is translated by VTAM into LOGON APPLID(applname). This applname then is what has to be entered in this Express Logon Configuration window as the application ID Recording the macro - user ID and password After having entered the application ID and clicking the OK button, the third window in Figure 82 appears that prompts you to actually start recording your actions on the session window. Figure 83. Recording the express logon macro - getting to the user ID field Once you have reached the screen prompting you for the user ID, click the OK button of the third screen in Figure 82. The next window then will ask if this is an alternate start screen. Refer to Figure IBM WebSphere Host On-Demand: Version 5 Enhancements

193 You can define alternate start screens, which can be more than one, in the first or a follow-on editing pass through the macro. This will allow the user to start the macro (or have it started automatically) when the host session is initialized. After having logged off from the application, a different log on screen might be presented to the user (for example, the application s log on screen and not VTAM s USSMSG10). This then will allow the user to use the same macro for one application, independent of where he starts. The next window, when not defining an alternate start screen, asks if there is a user ID field on the current host screen. Selecting Yes and the Next button leads you to a window that lets you define the position of the user ID field on the host screen as shown in Figure 84. Figure 84. Recording the express logon macro - user ID field The simplest way of getting the correct row and column is by positioning the cursor on the user ID input field (normally it will already be correctly positioned) and clicking on the Current button. This will update the input fields in the window with the current cursor position. In the user ID field, fill in a valid user ID. This user ID then will only be used to log on to the host application when recording the macro; it will not be recorded in the macro. A placeholder variable, $USR.ID$, will be placed in the macro and actually filled Chapter 9. Express logon 177

194 into the host screen s user ID field when the macro is played. The TN3270 server then will replace this variable with the user s correct user ID. The next window presented will ask if there is also a password field on the host screen that prompts for the user ID. If you answer Yes, the password field is on the same screen as the user ID field, or after having navigated to the screen prompting for the password, you have to define the position of the password field on the screen on a window similar to the one used for the password field as shown in Figure 84. Also, the password you are entering here is not recorded in the macro. It is only used to actually log on when recording the macro. The macro will again contain the placeholder variable, $PSS.WD$, that will be replaced with the PassTicket by the TN3270 server when playing the macro Recording the macro - finishing steps When you select the Finish button of the window on which you specified the password field location, the left window shown in Figure 85 is displayed giving instructions on how to continue. Only when you really want the user to press the Enter key, or whichever PF key is used for the log on, do you follow the instructions to stop the macro immediately. Otherwise, select on the OK button to remove the window and continue recording your macro until you have reached the application s start window where you want to leave the user. Figure 85. Recording the express logon macro - finishing steps When you stop recording the macro, a final window (shown on the right in Figure 85) will appear asking you whether you want this macro to be automatically started when the session window is initialized. If you select Yes, the corresponding session definitions will be updated. 178 IBM WebSphere Host On-Demand: Version 5 Enhancements

195 9.6.4 The macro The following shows the express logon macro generated to log on to an application called ra03t. You can see that the user ID and password entered when recording the macros have been replaced with the placeholder variables, $USR.ID$ and $PSS.WD$. <HAScript name="tso03" description="express Logon to TSO03" timeout="60000" pausetime="300" promptall="true" author="" creationdate="" supressclearevents="false" > <screen name="screen1" entryscreen="true" exitscreen="false" transient="false"> <description> <oia status="dontcare" optional="false" invertmatch="false" /> <numfields number="1" optional="false" invertmatch="false" /> <numinputfields number="1" optional="false" invertmatch="false" /> </description> <actions> <custom id="application_id" args="ra03t" /> <input value="log ra03t[enter]" row="0" col="0" movecursor="true" xlatehostkeys="true" encrypted="false" /> </actions> <nextscreens timeout="0" > <nextscreen name="screen2" /> </nextscreens> </screen> <screen name="screen2" entryscreen="false" exitscreen="false" transient="false"> <description> <oia status="notinhibited" optional="false" invertmatch="false" /> <numfields number="3" optional="false" invertmatch="false" /> <numinputfields number="3" optional="false" invertmatch="false" /> </description> <actions> <input value="$usr.id$" row="2" col="1" movecursor="true" xlatehostkeys="true" encrypted="false" /> <input value="[enter]" row="0" col="0" movecursor="true" xlatehostkeys="true" encrypted="false" /> </actions> <nextscreens timeout="0" > <nextscreen name="screen3" /> </nextscreens> </screen> <screen name="screen3" entryscreen="false" exitscreen="false" transient="false"> <description> <oia status="notinhibited" optional="false" invertmatch="false" /> <numfields number="55" optional="false" invertmatch="false" /> <numinputfields number="11" optional="false" invertmatch="false" /> </description> <actions> <input value="$pss.wd$" row="8" col="20" movecursor="true" xlatehostkeys="true" encrypted="false" /> <input value="[enter]" row="0" col="0" movecursor="true" xlatehostkeys="true" encrypted="false" /> </actions> <nextscreens timeout="0" > <nextscreen name="screen4" /> </nextscreens> </screen> </HAScript> Chapter 9. Express logon 179

196 9.7 Configuring the TN3270 server The following IBM communications servers have been enabled currently to support the express logon facility: Communications Server for AIX Communications Server for OS/2 Communications Server for Windows NT and Windows 2000 In order to activate the express logon facility you must configure the TN3270 server to support SSL and client authentication. The only additional information needed by the express logon feature is the OS/390 IP address or host name and the port number allocated to DCAS. All three supported TN3270 servers support a connection to exactly one DCAS. When enabling express logon for a secure (SSL) TN3270 port on your server that is currently being used by normal (SSL) TN3270 clients there is a good chance that they might not be able to establish a session with your server. Check the products support sites for the latest code updates for compatibility with express logon. (Remember, there are additional flows during the connection setup phase.) A better idea would be to set up a new port for users requesting support for express logon. A complete tutorial and examples of all supported platforms may be found at: ftp://ftp.software.ibm.com/software/network/library/whitepapers/elf.pdf Communications Server for AIX Communications Server for AIX V with APAR IY12323 is the minimum level required to implement a TN3270 server supporting the express logon facility on AIX. Communications server for AIX offers multiple interfaces to configure your TN3270 server: Using xsnaadmin On the TN3270 server window select Services -> TN3270 Express Logon, or press Ctrl+E, to open the window shown in Figure 86. Here you have to first enable TN3270 express logon, then you will be able to see and fill in the additional fields for the DCAS address and port number. 180 IBM WebSphere Host On-Demand: Version 5 Enhancements

197 Figure 86. CS/AIX xsnaadmin Using Web Admin Go to the TN Server page and click TN3270 Express Logon. This will open the applet window shown in Figure 87. Also here, fill in DCAS address and port number and select YES in the Enable Express Logon? field. Figure 87. CS/AIX Web Admin Using SMIT Go to the TN Server/Redirector page, move the cursor to the field that says TN3270 Express Logon and press the Enter key. This will then bring up the TN3270 Express Logon window. Type the appropriate information into the entry fields (DCAS address, DCAS port number, and YES for enabling express logon support) and press the Enter key after filling in all fields Using the command line For those who like the short track there is also the possibility to configure the server for express logon by entering the following command: snaadmin define_tn3270_express_logon,dcas_server=host2dcas_port=8990 Chapter 9. Express logon 181

198 You will get a message that the command completed successfully and you can display the current settings by entering: snaadmin query_tn3270_express_logon Communications Server for OS/2 Communications Server for OS/2, V6.1 is the minimum level required to implement a TN3270 server supporting the express logon facility on OS/2. Enabling Communications Server s express logon support on OS/2 has to be done by manually updating the definition file (yourname.ndf) that was created when configuring the TN3270 server functions. Figure 88 shows the keywords used for express logon definitions. DEFINE_EXPRESS_LOGON_SUPPORT ENABLED(YES) DCAS_ID( ) DCAS_ID_TYPE(IP_ADDRESS) DCAS_PORT(8990); Figure 88. Definition file keywords You may also specify a host name for the DCAS_ID. You will then have to specify DCAS_ID_TYPE(HOST_NAME). EXPRESS_LOGON_SUPPORT=( EXPRESS_LOGON_SUPPORT_ENABLED=1 DCAS_ID= DCAS_ID_TYPE=0 DCAS_PORT=8990 ) Figure 89. Response file keywords For the response file used to control an unattended installation and configuration of Communications Server for OS/2, the corresponding keywords look slightly different from those shown in Figure 88. Also, here you may specify a host name instead of an IP address. You will then have to specify DCAS_ID_TYPE=1. Using Subsystem management or the command line interface you can display the TN3270 server global settings to check whether the express logon feature is enabled or disabled. 182 IBM WebSphere Host On-Demand: Version 5 Enhancements

199 9.7.3 Communications Server for NT and Windows 2000 Communications Server for NT and Windows 2000, V6.1.1 is the minimum level required to implement a TN3270 server supporting the express logon facility on NT and Windows Configuring Communications Server for NT and Windows 2000 is done using the SNA Node Configuration program. When configuring the SNA node as a TN3270 server, on the start window of the SNA Node Configuration program in the definition hierarchy you will find a new line item underneath the TN3270 Server line item that says ELF support. Clicking on it will bring up the panel shown in Figure 90. Figure 90. NT SNA node configuration On this window you then enable express logon support and specify how to reach the DCAS host. The Node Operations function on a Windows NT or Windows 2000 system only displays whether the express logon feature is enabled or disabled. From node operations, there is no information available which address and port is used and if a connection is currently established to the DCAS host. Chapter 9. Express logon 183

200 184 IBM WebSphere Host On-Demand: Version 5 Enhancements

201 Chapter 10. Telnet-negotiated security The purpose of Telnet-negotiated security is to allow a Telnet session to begin as a non-secure session, but then negotiate a secure session as defined in the IETF INTERNET-DRAFT "TLS-based Telnet Security". The current draft can be found at This draft defines extensions to Telnet that allow TLS to be negotiated over a Telnet connection. The TLS protocol as defined in IETF Standards Track RFC 2246 "The TLS Protocol 1.0" is found at: It allows for negotiation down to SSL. Host On-Demand will always negotiate down to SSL V3, since TLS is a newer level than SSL. Telnet-negotiated security and Express Logon Facility (ELF) may not be enabled at the same time. Telnet-negotiated security is only enabled by CS/390 V2R10 and ELF currently requires a middle-tier server Session configuration In order to implement TLS-negotiated security you must first enable SSL to activate the Telnet-negotiated radio button, then select Yes to the Telnet-negotiated radio button (see Figure 91). Copyright IBM Corp

202 Figure 91. Enable TLS-negotiated security Selecting Telnet-negotiated determines if the SSL negotiation between the client and the server is done on the Telnet connection or on an SSL connection prior to the Telnet negotiations. The other SSL options are valid regardless of whether the Telnet-negotiated radio button is Yes or No. If Yes is selected, then the Telnet protocol defined in IETF INTERNET-DRAFT "TLS-based Telnet Security" will be used to negotiate the SSL security after the Telnet connection is established. This support is only applicable with a Telnet server which supports TLS-based Telnet Security. CS/390 V2R10 is the only IBM Telnet Server at this time which supports this function. If No is selected, the traditional SSL negotiations will be done on an SSL connection with the server, and subsequently the Telnet negotiations with the server will be done. The default is No, because few Telnet servers have this support since this is not yet an RFC. There will be no migration considerations since this is not supported by Personal Communications Manager, and the default is No. The CS/390 documentation refers to this feature as "negotiable SSL". 186 IBM WebSphere Host On-Demand: Version 5 Enhancements

203 10.2 Session negotiation A typical TLS-based Telnet SSL flow is shown in Figure 92. OS/390 TCP/IP TN3270E Server TCP connection establishment SECURE Port unencrypted IAC WILL START_TLS IAC SB START_TLS FOLLOWS IAC DO START_TLS IAC SB START_TLS FOLLOWS 3 encrypted standard SSL Handshake TN3270 Handshake 2 1 Host On-Demand Client Figure 92. TLS-based Telnet SSL flow 1. IP connection establishment. 2. The Telnet server sends the IAC DO START_TLS command to the client to verify if it wants to perform the SSL negotiation. 3. If a positive response is received, then Telnet begins a normal SSL handshake. 4. If no positive response is received, the connection will be dropped. The IAC DO START_TLS Telnet command, sent from the server, activates TLS at the beginning of a Telnet connection. The client can respond to this command by sending the IAC WILL START_TLS command, if the negotiation of a TLS connection is required. With the IAC DONT START_TLS command, the client can refuse the TLS connection negotiation. Sending the IAC SB START_TLS FOLLOWS IAC SE command initiates a TLS negotiation. When this subcommand has been sent and received the TLS negotiation will begin. If Enable Security (SSL) is Yes and Telnet-negotiated is Yes, then the Telnet connection will be started normally without SSL. However, the 3270 session will not start until the SSL negotiation completes successfully. If the server Chapter 10. Telnet-negotiated security 187

204 WONT STARTTLS, then the session will not start, and an error message will be issued stating 'Security was requested, but the server does not support security'. If Enable Security (SSL) is No and the server requests a TLS session, HOD not start a TLS session and an error message will be displayed on the status bar stating "The server requested security, but Security is not enabled." To understand the data flows in more detail, refer to Appendix C.3, Sample TLS-negotiated traces on page 274 for sample traces. 188 IBM WebSphere Host On-Demand: Version 5 Enhancements

205 Chapter 11. Print enhancements Host On-Demand Version 5 has added two enhancements relating to printing: a printer definition file support utility that makes it easier for Windows users and administrators to associate a printer definition table to printer session, and VT print passthrough capability Printer definition file support As in Version 4 the key to host print is to associate a printer definition table (PDT) with the selected printer. In Version 4 all the responsibility for doing this association fell upon the administrator. For example, take a user who uses a notebook PC at home and in the office, but had a different printer at home than the office. The administrator must know the exact make and model of the printer that the user has at home as well as at the office to preconfigure the sessions for the user. The new printer definition file support introduced in Version 5 will allow an end user to control the association of a host print session, 3270, 5250, or new VT print passthrough, with a printer accessible from a Host On-Demand Windows client environment. The user simply chooses an appropriate local printer for the current environment and the required PDT or model entry will be selected automatically. There are two phases to using the printer definition support: 1. Administration The administrator must create the printer mappings for all the printers to be used by the installation and designate a default map. 2. Session configuration A new interface is provided for Windows systems that simplifies the selection of the correct printer definition table Printer administration The administrator has two basic tasks: 1. Create the mappings for printer types to 3270 PDTs and 5250 models 2. Designate on PDT and one model as the default The mapping process depends on two files: hodpdt.properties(3270 printers) Copyright IBM Corp

206 hodmodel.properties(5250 printers) Host On-Demand Version 5 installs two sample files in the %HOD_ROOT%\samples/prt/xx directory, where xx is the country code being used. The hodpdt.properties file is illustrated below. # # Print Drivers and associated 3270 PDTs # # This file should contain one or more entries like the following: # # printerdrivername=3270pdtname # # This file may also contain one optional entry like the following: # # DEFAULT_PRINT_PDT=default3270PDTName # DEFAULT_PRINT_PDT=Basic ASCII text mode IBM D PS Printer=IBM PPDS Level 2 IBM InfoPrint 20 PCL=HP PCL Level 3 (Laser Printers) Net-It-Now Driver=Basic ASCII text mode The hodmodel.properties file is shown below. # Print Drivers and associated 5250 printer models # # This file should contain one or more entries like the following: # # printerdrivername=5250modelname # # This file may also contain one optional entry like the following: # # DEFAULT_PRINT_MODEL=default5250ModelName # DEFAULT_PRINT_MODEL=HP LaserJet Series II IBM D PS Printer=IBM 3130 Advanced Function Printer IBM InfoPrint 20 PCL=IBM InfoPrint 20 Notice that the only difference in the files is the name of the default printer driver. The administrator, using an ASCII text editor (not supplied by Host On-Demand) must update these files to reflect local PDT or model requirements for specific Windows printers/drivers. Any PDT or model files not supplied by Host On-Demand must be supplied and maintained by the customer. The properties tables will reside in, and be accessed from, the Host On-Demand server \%HOD_ROOT%\private directory. 190 IBM WebSphere Host On-Demand: Version 5 Enhancements

207 Editing the table is simple. The syntax of the entries is: printerdrivername=3270pdtname The value entered into the file for printerdrivername must exactly match (including case) the printer driver name that the client will be using. The 3270PDTName (or 5250ModelName) is the description given to the PDT (model) when compiled, not the name of the file. For the default files provided by IBM, these descriptions are found in the heading in the PDF file found in the \%HOD_ROOT%\pdfpdt subdirectory. The DEFAULT_PRINT_PDT, or DEFAULT_PRINT_MODEL, entry will be selected if the printer selected does not match any entry in the list. Note The spelling, punctuation, capitalization and white space (spaces) of the 3270PDTName and 5250ModelName are important. There must be an exact match in order to be selected Session configuration Windows printer selection capability has been enhanced with the inclusion of a new push bar on the Print definition tab. See Figure 93. Figure 93. Define printer To select a printer that is defined to your workstation, click the Select Printer button. Doing so will result in a prompt to download a Windows DLL file, hodprint.dll, to query your printers. See Figure 94. Chapter 11. Print enhancements 191

208 Figure 94. Load DLL To proceed you must select Continue. When you do so, the hodprint.dll file will be downloaded from the server to your workstation and executed. If you close your browser and later repeat this process, the hodprint.dll file will be downloaded again. The previously downloaded file will be renamed prior to download. This may result in many copies residing on your system. A new dialog box will be displayed with a choice box containing a list of printers accessible by your system. See Figure 95. Figure 95. Select Windows printer 192 IBM WebSphere Host On-Demand: Version 5 Enhancements

209 Scroll through the list of printers and select the printer you wish to use. Our example uses a LexMark ValueWriter 300 on port LPT1. Selecting OK will cause the utility to search the hodpdt.properties file or the hodmodel.properties file, using the device driver name. If a match is not found, the panels shown in Figure 96 will be displayed. Figure 96. Driver not found If the driver is found then the sequence of panels shown Figure 97 in will be displayed. Chapter 11. Print enhancements 193

210 Figure 97. Driver found The user is not required to use the printer selection dialog in a Windows environment. A PDT or Model can still be selected manually Tips This utility will run only on Windows clients; however, all server installations contain the necessary files to support Windows clients. The Netscape browser requires a restart the first time the function is used. Like any printer configuration, the printer selected at configuration time must be present at runtime in order for the print function to operate properly VT print passthrough VT host-directed printing is an integral service provided by a VT terminal; it does not require a separate session. Prior to Host On-Demand Version 5, VT host-directed printing was not supported. The following VT print operations are now supported: Printer controller mode (print pass through) Autoprint mode Print screen (host initiated) Print cursor line 194 IBM WebSphere Host On-Demand: Version 5 Enhancements

211 A VT configuration panel is provide for the Host On-Demand client and administrator. See Figure 98. You will notice that there is a Select Printer button on this panel. It operates similarly to the 3270 and 5250 printer configuration, in that it downloads the hodprint.dll file if run on a Windows system and identifies the available printers. However, VT sessions do not use a PDT. Printer data from the VT application is sent as-is to the printer device. You must insure that your VT application supports the printer you want to use. Figure 98. VT printer configuration See the DEC VT220 Programmer Reference Manual for more information on VT Host Print. Chapter 11. Print enhancements 195

212 196 IBM WebSphere Host On-Demand: Version 5 Enhancements

213 Chapter 12. AS/400 Several AS/400 enhancements were introduced in Host On-Demand Version Toolbox Model 3 Support Host On-Demand Version 4 used the Model 1 of the AS/400 Toolbox. Version 5 use the Model 3 version of the Toolbox. This enhances the ability of file transfer for AS/400 and Database On-Demand to support a proxy server and SSL. The major advantage of Proxy Server Support is that only one port has to be open through a firewall to do OS/400 File Transfer and Database On-Demand. Previously, the user had to open up multiple ports. With Proxy Server Support, all the data flows through the configured port (default is 3470). Also, it helps to improve the download time of the Database On-Demand applet. If the proxy server is not used, then Database On Demand and 5250 File Transfer will be working as it did in Host On-Demand V4. Also, there are no new additional features that are supported with the Proxy function enabled. SSL support is also supported and will enable Database On Demand and OS/400 File Transfer, providing secure connections to both by encrypting the data exchanged between a client and the host. Note If the user is trying to avoid opening any ports on the firewall by using the configuration servlet, the user would still need to open up the configured Proxy Server port for 5250 File Transfer and Database On Demand. Refer to 5.4, OS/400 Proxy Server on page 93 for a complete description of how to set up the proxy server. To enable the OS/400 file transfer to use the OS/400 Proxy Server you must modify the file transfer defaults for the client session. This can be done by the administrator or the user. To direct the file transfer utility to utilize the OS/400 Proxy Server, you must change the file transfer defaults. From the 5250 emulation window, select Actions -> File Transfer Defaults, which results in the panel shown in Figure 99. Copyright IBM Corp

214 Figure 99. OS/400 file transfer defaults Select Yes on the Enable Proxy Server line, specify the address of the proxy server you will use, and specify the port (default is 3470). When you send or receive files from the AS/400 via the proxy server you will get confirmation of the address of the AS/400 you are accessing and the proxy server you are using (see Figure 100). Figure 100. Transferring AS/400 files 12.2 ENPTUI support IBM WebSphere Host On-Demand Version 5 supports Enhanced Non-Programmable Terminal User Interface (ENPTUI), on 5250 Display sessions. ENPTUI is the enhancement of the 5250 full-screen menu-driven interface, which was well regarded by the AS/400 user community for a long time. This interface, however, has become less acceptable to users as they become familiar and comfortable with a programmable workstation graphical user interfaces. ENPTUI enables an enhanced user interface on non-programmable terminals as well as programmable workstations by providing the following capabilities: 198 IBM WebSphere Host On-Demand: Version 5 Enhancements

215 Selection fields Scroll bar field Continued and edit mask entry field Cursor progression entry field Highlighted entry field Pointer device selectable field Word wrap field Pop-up window, and menu bar Selection cursor in selection fields and highlighted entry field Cursor movement to input-capable positions only Cursor-sensitive scrolling within a selection field Application programmable mouse buttons Here is what the 5250 screen will look like with ENPTUI: Figure 101. Sample ENPTUI screen Chapter 12. AS/

216 HOD 5.0 supports ENPTUI 3 defined in AS/400 Work Station Controller Final Functional Specification - Volume 6, and it is the same level of support that Personal Communications Manager Version 5.0 provides. 200 IBM WebSphere Host On-Demand: Version 5 Enhancements

217 Chapter 13. Java 1.2 compatibility Host On-Demand Version 5 now provides compatibility with Java JDK 1.2. Host On-Demand is providing this compatibility for application developers and has not exploited any features of JDK 1.2. Support is provided for the compilation and usage of the Host Access JavaBean and HACL interfaces using a JDK 1.2 JVM, and run using a JRE 1.2 JVM. If you are going to use the Host Access Beans with Java 2, you will need to add the following to the java.policy file. grant { permission java/security/allpermission; } The file is located in the JAVA2\jre\lib\security directory, where JAVA2 is the path to your Java2 installation. Host On-Demand Version 5 is still based on the abstract window toolkit API (AWT). The IBM Swing jar file is shipped to support selected Swing-based components, for example the Deployment Wizard. There is no support currently for running Host On-Demand Version 5 in a Java 2 environment. No browser at the time of the writing of this book supported Java 2. The JDK 1.3 is not yet supported. Copyright IBM Corp

218 202 IBM WebSphere Host On-Demand: Version 5 Enhancements

219 Chapter 14. Screen Customizer Screen Customizer is a Java client for Host On-Demand and Personal Communications Manager that provides a graphical user interface (GUI) alternative to host application "green screens". Screen Customizer interprets the host data stream that Host On-Demand or Personal Communications forwards to it. It then provides either a default GUI representation of the host screen, or a customized GUI representation of the host screen, created by means of the Screen Customizer Customization Studio. Customization for 3270, 5250, and CICS Gateway display sessions is available. VT display session customization is not supported. The creation of a GUI involves no changes to the host application nor any programming on the workstation Screen Customizer and Host On-Demand Screen Customizer applets are loaded along with the Host On-Demand code by clients. If it is to be used for a session, it needs to be enabled in the session s screen configuration window. If an application screen has been identified to Screen Customizer, by assignment of a screen ID, and a custom version of that screen, known as a map, has been created, the custom version is displayed in place of the default screen content. Host On-Demand provides the Telnet transport for Screen Customizer sessions. The structure of a screen is recorded by Screen Customizer on the client as it is received from the host. The structure is based on the number, length, and relative position of fields in the screen. This structure is compared to those found in a screen database file, screen.db. If there is a match, the client requests the associated screen map from the Web server, which in turn sends the customized version of the screen to the client for display Screen Customizer and Personal Communications Manager The basic operation of Screen Customizer with Personal Communications Manager (PCOMM), is the same as that with Host On-Demand; however, Screen Customizer runs as a Java application rather than as a browser Copyright IBM Corp

220 applet. The Telnet transport is provided by Personal Communications Manager. The custom screen database resides locally on the workstation, as compared to being downloaded in the case of Host On-Demand. The custom maps can reside on the client, or be accessible using SMB or NFS network drives, or be downloaded from a Web server. Note This chapter is focused on the use of Screen Customizer with Host On-Demand. When there are significant differences between its use with Host On-Demand and Personal Communications, those differences will be noted Screen Customizer overview IBM Screen Customizer provides the ability to change a standard 3270 or 5250 emulator application into n something that looks like other applications in a workstation environment. Screen Customizer can make these types of applications easier to use by changing the way a user interacts with the application. It can combine data from multiple screens, hide unneeded information from the user, and change cryptic mainframe input fields into more friendly forms. For example, many mainframe applications require the use of codes for input. This may be as simple as the substitution of OH for Ohio or as complex as having to remember accounting codes for certain types of transactions. Input fields can be changed to radio buttons, check boxes, drop-down lists or valid value lists depending on what type of input is needed. Screen Customizer can also impose a large degree of consistency on mainframe applications that have evolved over a number of years (often decades). The result of this evolution is often a set of very stable applications with an inconsistent or command-driven user interface. It s not uncommon to see an application where the same function key means many different things depending on the application and context. This increases the difficulty of using the application and the time it takes to train new users. Screen Customizer can remap function keys based on individual screens or use graphical controls such as buttons to provide navigation that is consistent regardless of what application is being used. In short, Screen Customizer can provide a face-lift to applications that have been, in accounting terms, fully amortized. It can provide new life for 204 IBM WebSphere Host On-Demand: Version 5 Enhancements

221 applications whose only problem is their user interface. Screen Customizer can extend the life of the mainframe s terminal-based applications while a Web-based replacement is being built or even serve as an end-of-life substitute for little-used applications What s new in Screen Customizer Version 2 This book assumes that you are familiar with Screen Customizer Version 1 or the earlier ResQ!Net product; therefore, you ll notice several immediate changes. The job of the Screen Customizer Administrator has been made much simpler. First, the job of identifying screens has been put on an easy-to-use toolbar as shown in Figure 105 on page 215. Next, Screen Customizer Version 2 has moved many of the functions that used to be part of the Administrator s job into the Customization Studio where they logically belong: Keyboard remap (although you ll probably want to use the Host On-Demand keyboard remap) Redirect action keys Customize toolbar Set tab key control Button appearance Font settings So, in Screen Customizer Version 2 the administrator s job has been reduced largely to cataloging screens, doing any necessary Host On-Demand session setup, and testing the application in client mode. The real work of refurbishing the application is now done almost entirely in the Customization Studio. Many improvements have been added that the day-to-day user may not see. These features include enhancements such as: Light-pen support (3270 only). An SSL indicator (formerly available only for Host On-Demand users). A Service Bundler tool that creates a package of files for IBM service. AS/400 subfiles support. The addition of an API that allows a Java programmer to interact with Screen Customizer host sessions and objects within those sessions. This allows a custom-written Java applet or application to dynamically change values, settings or the appearance of the current Screen Customizer application. Two programming interfaces have been introduced: Screen Customizer API and the Screen Customizer bean. Chapter 14. Screen Customizer 205

222 The IBM Screen Customizer Custom Component Interface (SCCI) allows you to interact with graphical objects on the screen. You can set properties for graphical interface objects and in some cases the data represented by the object (for example, button caption or choice options). The Screen Customizer API is documented in the SCCI Reference included with the Host On-Demand Host Access Toolkit. Use Screen Customizer within your own applications or embedded directly into a Web page. The bean allows rapid application development with full capabilities to display customized screens. The Screen Customizer bean works with most of the current host access beans. It is documented in the Host Access Beans for Java Reference included with the Host On-Demand Host Access Toolkit Silent installation A silent mode installation via a response file was introduced in Version 2. The silent installation installs Screen Customizer without displaying any windows or asking for input. To perform a silent installation of Screen Customizer, you must first create a response file that contains the information required on the installation windows. The documentation states that sample response files are provided and are located in the \instmgr\ directory of the installation CD. The Windows sample response file is server1.iss, and the AIX sample response file is install.script. These samples contain the default installation options. You can use those or create your own. Once a response file is created, start the silent installation. It is recommended that you create your own response file. Notes In the initial release of the software only the AIX sample, install.script, was present. When you install in silent mode, there is no indication that installation is in progress or that it is complete. Complete instructions on silent mode installation are documented in the Getting Started Guide.which is found on the IBM Screen Customizer Web site at the following URL: IBM WebSphere Host On-Demand: Version 5 Enhancements

223 Since the product changes frequently, it is always a good idea to refer to this site for the latest copy prior to installation Runtime installation The IBM Screen Customizer runtime is supported on any server that supports Host On-Demand. The installation of the runtime environment on any platform is primarily an exercise in unzipping or untaring the files to the Host On-Demand publish directory AIX The installation on AIX has been improved to provide a graphical interface similar to the Windows interface. In addition a silent mode installation has also been added. Refer to 14.5, Silent installation on page 206 for more information UNIX To install the client using the graphical interface: Mount the CD-ROM drive and insert the CD. Change to the root directory of the CD and enter setupaix.sh. Click Install Product. Follow the directions in the installation windows. You can install only the client on UNIX operating systems. The client must be installed in the Host On-Demand server publish directory so that it is available to client workstations. Insert the CD and mount it. Change to the Host On-Demand publish directory. Untar the client.tar file to install the base files into the HOD directory. Support for English is installed by default. Additional languages must be installed separately. This step assumes that the tar files are in the /cdrom/tar directory. Run the following command from the publish directory: tar -xf /cdrom/tar/client.tar For each additional language that you want to install, run: tar -xf /cdrom/tar/sc_lang.tar Chapter 14. Screen Customizer 207

224 For example, tar -xf /cdrom/tar/sc_ko.tar installs support for the Korean language. To extract the documentation file (includes all languages), run: tar -xf /cdrom/tar/doc.tar AS/400 To install IBM Screen Customizer on an AS/400: Novell NetWare Insert the Screen Customizer CD. Run the following command: RSTLICPGM LICPGM(5648D76) DEV(OPT01) where: - RSTLICPGM starts the OS/400 installation program - LICPGM(5648D76) is the Screen Customizer program number to install - DEV(OPT01) is the source device for the CD You can install only the client on Novell NetWare. It must be installed in the Host On-Demand server publish directory so that it is available to client workstations. To install the client: Insert the CD. Change to the Host On-Demand publish directory. To extract the files, run the following command from the Host On-Demand publish directory: unzip -d [cd_rom]:\zip\client.zip To extract the documentation file, run: unzip -d [cd_rom]:\zip\doc.zip where: - unzip is your unpacking program. It must support long filenames. - -d is the parameter that recreates the zipped directory structure. - [cd_rom] is the CD-ROM drive letter. - zip is the directory on the CD. 208 IBM WebSphere Host On-Demand: Version 5 Enhancements

225 OS/2 You can install only the client on OS/2. It must be installed in the Host On-Demand server publish directory so that it is available to client workstations. To install the client: Insert the CD. Change to the Host On-Demand publish directory. To extract the client files, run the following command: unzip -d [cd_rom]:\zip\client.zip To extract the documentation file, run: unzip -d [cd_rom]:\zip\doc.zip - unzip is your unpacking program. It must support long filenames. - -d is the parameter that recreates the zipped directory structure. - [cd_rom] is the CD-ROM drive letter. - zip is the directory on the CD Administrator and studio installation The Screen Customizer application development environment is installed on a Windows 32-bit platform, Windows 95, Windows 98, Windows NT with SP 5 (or higher) and Windows Before installing Screen Customizer Version 2, you must install a local copy of Host On-Demand Version 5. Screen Customizer has three components: 1. The administration studio for identifying each screen that is to be customized. 2. The customization studio for changing the appearance of the screens identified by the administrative tool. The Customization Studio is also used to create templates, which are used to change the appearance of multiple screens. Templates are similar to style sheets in HTML or named styles in a word processor. 3. Client runtime support for display of customized screens. There are two installation options of Screen Customizer Version 2 on a Windows platform as shown in Figure 102. Selecting Full will install all three components, while selecting Custom, as shown in Figure 103, will allow you to tailor your installation further. Chapter 14. Screen Customizer 209

226 Figure 102. Screen Customizer installation 1. Selecting All Components is the same as the default or full installation. Use this installation choice if your job will include that of administrator and customizer. 2. Selecting the client installation option installs only the Screen Customizer runtime code. Use this installation if you are installing Screen Customizer on a workstation that will be used for testing or local deployment, or you are installing only the run-time components on a Windows Host On-Demand server. 3. Select the Customization Studio if you only be doing customization of previously captured screens. The Customization Studio can be used in a completely offline environment. Use this type of installation if you are doing screen customization only. In this environment the administrator must capture the screens and move them to a file server, NFS drive, or other device where the Customization Studio operator may access and tailor them. Note: it is not necessary to have a locally installed copy of Host On-Demand to install just the Customization Studio. 210 IBM WebSphere Host On-Demand: Version 5 Enhancements

227 Figure 103. Screen Customizer custom installation 14.8 Migration If you are installing onto a Windows system migration and you will be migrating from ResQ!Net or IBM Screen Customizer Version 1, migration will occur automatically. The following sections describe the migration process in more detail, and the procedures for migration when installing on a non-windows platform Migrating from ResQ!Net Customization panels created using ResQ!Net are saved by default in the /hod/at2custom directory, which has several subdirectories. For Screen Customizer, the equivalent directory is hod/custom, which has all of the equivalent subdirectories (at2 has been removed). If you are installing on a Windows system, migration is automatic. The setup program copies the contents of the ResQ!Net directories to the equivalent Screen Customizer directories. However, if you have custom panels saved in directories other than the default directories, you must manually copy them to the new path. On non-windows platforms, you must manually copy all custom panels to the new path. Chapter 14. Screen Customizer 211

228 The files in the following original ResQ!Net directories must be moved to the new Screen Customizer directories. Table 12. ResQ!Net to Screen Customizer directory map ResQ!Net Directory at2custom/at2hlp at2custom/at2img at2custom/at2lst at2custom/at2maps at2custom/at2ps at2custom/at2ref at2custom/at2wsp Screen Customizer Directory custom/lang/help custom/img custom/lst custom/map custom/ps custom/ref custom/wsp In addition, the following files must be renamed from the original ResQ!Net extension to the new Screen Customizer extension. Table 13. ResQ!Net file extension conversion ResQ!Net Extension Screen Customizer Extension File Purpose a2h hlp User-created field-level help a2m scm Screen customization data a2p psd Base screen data a2b tlb Customized toolbar a2l lst Valid-value list a2r ref Reference file for field help and valid-value list a2t tpl Template Custom panels saved in a directory other than at2custom can be migrated by first renaming the at2* subdirectories within the alternate directory to the new subdirectory names and then by renaming the original file extensions to the new extensions Migrating from IBM Screen Customizer Version 1 In Version 2, profiles are no longer supported and have been replaced with global templates. When installing on Windows, profiles are automatically 212 IBM WebSphere Host On-Demand: Version 5 Enhancements

229 migrated from the default custom/wsp directory to the equivalent template name (with a.tpl extension) in the custom/map directory. Profiles that are not located in the default directory, for example, a user-defined directory mycustom/wsp, are not migrated automatically during installation. A profile migration utility is provided that migrates those profiles to the new template format. On Windows systems, the migration utility is started by clicking Start -> IBM Screen Customizer. On non-windows systems, the utility can be started manually. Note: If you are migrating from ResQ!Net, you must do those steps before migrating to Screen Customizer V2. To start the migration utility manually, enter the following command (on one line): java -classpath publish_dir\lib\scmigr.jar;publish_dir\lib\rt.jar; publish_dir\lib\i18n.jar com.ibm.hi.customizer.util.profile.profilemigrator ProfileDir=profile_dir TemplDir=template_dir 14.9 The Screen Customizer development cycle Developing a Screen Customizer application falls into five basic steps: 1. Administration: Screens within an application are identified and saved as Screen Customizer maps. 2. Screen Customization: This step is where a screen gets a face lift. 3. Template Development: This activity can take place in parallel with screen customization or afterwords. Templates allow the developer to provide a more uniform look and feel for all screens in an application (even screens that have not been customized) without working on individual screens. 4. Testing: Once the application has been built, it should be moved to a stand-alone client or a test server where the application can be exercised to insure it is fully functional. 5. Deployment - once tested, the application can be moved to a production server or servers Administration The administration process in Screen Customizer is fairly straightforward. The process begins by starting Screen Customizer administration. When that is started, the user is presented with a panel that looks a lot like a Host On-Demand Session Manager. Next, you must either configure a session or import a session definition to create a host session to work on. This is all very similar to Host On-Demand Administration, except for the options on the Chapter 14. Screen Customizer 213

230 Screen tab of the host session s properties notebook. See Figure 114 on page 228 for an example of what that setting looks like. To illustrate some of the new features in Screen Customizer Version 2, let s use an IBM business system login screen in its original emulator format: Figure screen in its native mode When this same session is brought up in the Screen Customizer administrator, it will first appear much like the Host On-Demand default GUI. However, an administrator that s worked with previous releases of Screen Customizer will notice some immediate differences (see Figure 105 on page 215). 214 IBM WebSphere Host On-Demand: Version 5 Enhancements

231 Figure 105. Screen Customizer administrative toolbar Note the addition of the administrator s toolbar beneath the regular Screen Customizer toolbar. When working on a Screen Customizer application, the first tools we ll be interested in are the first four items (from left to right): 1. The Customize the current screen tool, represented by the icon that looks like an artist s palette in Figure The Capture the current screen tool, represented by the icon that looks like a camera in Figure The four-character Screen ID entry field, which should be familiar to Screen Customizer Version 1 or ResQ!Net users. 4. A Screen description, a field which should also be familiar to Screen Customizer Version 1 or ResQ!Net users. Just as with the previous products, this field is still optional but nevertheless recommended. Cataloging a screen is much easier with the new toolbar. As long as a screen ID has been entered, the administrator has three options to catalog a screen: 1. The Capture tool (the camera icon). If this option is used, then the screen is simply cataloged and the administrator can continue with the host application. 2. The Customize tool (the palette icon). If this tool is used, then the screen is cataloged and the Screen Customizer Studio launched to tailor the screen. 3. The Screen ID properties tool (the icon to the right of the screen description field). If this tool is used, Screen Customizer brings up a dialog box (similar to that in Version 1) used to alter the way the screen is recognized. A screen tag can be used in place of the default screen recognition mechanism. Chapter 14. Screen Customizer 215

232 Note With any of these tools, the optional description can be entered, as shown in Figure 105, and will be cataloged with the screen ID. It is good practice to enter a screen description and IBM recommends you do when building a Screen Customizer application. Once the administrator has cataloged several screens, there are other operations that can be performed from the new toolbar. Figure 106. Working with cataloged screens As we can see from Figure 106, the new administrator s toolbar offers more one click ways to get to common activities: Setting up the screen ID View all the screen IDs that have been cataloged Get help for the administrative toolbar Bringing up the customization studio for other work (for example, creating/altering a template) Screen customization This book will not teach you how to do screen customization; it will merely describe the controls that may be used and placed on the screen. There have been several changes to the screen controls Global customization enhancements Customizing screens is easier with the template enhancements. You can control the look and function of many different emulator screens at once by 216 IBM WebSphere Host On-Demand: Version 5 Enhancements

233 creating templates that can be automatically applied to screens without having to modify each screen individually Simplified screen capture process The Administrator toolbar makes the process of capturing and customizing screens quick and easy. The toolbar buttons provide quick access to the functions you use every day when working with screens. There are buttons to capture a screen, start the Studio, and work with screen IDs Web link button improvements Additional options have been added for Web link buttons. Text for links changes color when the mouse pointer is held over it, displaying a standard Web link. Settings can be saved for individual Web links Light-pen support Use your mouse as a light-pen pointer when accessing host applications that require a light pen. Light-pen fields can be displayed as check boxes or buttons, depending on the type of field. Refer to Figure 107 for a sample application that uses light-pen support, but it is not enabled. Chapter 14. Screen Customizer 217

234 Figure 107. Light-pen not enabled The image shown in Figure 108 shows what the above window would look like with light-pen support enabled. 218 IBM WebSphere Host On-Demand: Version 5 Enhancements

235 Figure 108. Light-pen enabled window AS/400 subfiles AS/400 subfile support has been implemented to be consistent with the support provided by Client Access. When enabled, subfiles are automatically converted into multi-column tables with button hotspots that send the appropriate commands for manipulating objects in the subfile list. Figure 109 illustrates what a subfile would look like if subfile support were not enabled. Chapter 14. Screen Customizer 219

236 Figure 109. Subfiles disabled Once subfile support is enabled, the above window will appear as shown in Figure IBM WebSphere Host On-Demand: Version 5 Enhancements

237 Figure 110. Subfiles enabled Additional language support Support for Hindi and Thai languages has been added Template development One of the most significant changes to Screen Customizer Version 2 is the introduction of the template feature. This feature allows you to provide customization defaults and features for large sets of screens without having to customize each screen. Templates can supply default colors, add customized objects to each screen s toolbar, and even add Screen Customizer objects (such as a Weblink) to every screen. Templates are created in the Screen Customizer Studio and are saved in the same directory as the application s screen maps (by default \custom\map). Screen Customizer templates have a file type of.tpl and otherwise can be named like other objects (for example, no spaces in the file name). Chapter 14. Screen Customizer 221

238 The global template There is one special template, a magic one known as the global template. If you create a template and save it with a name of sc_global.tpl in the default map directory, it will be used by all screens (customized and uncustomized) unless you specifically override a particular screen s use of templates. The global template can be overridden in the HTML using the Template Java parameter. It needs to be added in the HTML that starts the Screen Customizer Administrator, Screen Customizer client or any Host On-Demand client that has Screen Customizer enabled. For example, in a full English-language installation of Screen Customizer, the Administrator is started by browsing an HTML file named HODCustomAdmin_en.html. Let s say we ve created a template called Ugly.tpl (it s really ugly so we know it s working) and have modified the HODCustomAdmin_en.html file by adding the Template parameter. If we did, the resulting HTML would look like the sample in Figure <PARAM NAME=BookmarkPage VALUE=AutoHOD_en.html> <PARAM NAME=Admin VALUE=true> <PARAM NAME=Locale VALUE=en_US> <PARAM NAME=Template VALUE=Ugly.tpl> <p>if you are reading this message, your client platform is not capable of running IBM Screen Customizer. To run IBM Screen Customizer, you must have a Java-enabled web browser such as Netscape Navigator or Microsoft Internet Explorer. </APPLET> Figure 111. Setting template in the Administrator s HTML There are other parameters related to template handling with different terminal sizes. It is possible to specify different default (global) templates for different terminal sizes. This is done by using the following Java parameters, in a similar way to the Template parameter is used in other files. Table 14. Screen size template parameters Parameter Name Template template24x80 template32x80 template43x80 template27x132 Screen Size All unspecified Model 2 (24 rows, 80 columns) Model 3 (32 rows, 80 columns) Model 4 (43 rows, 80 columns) Model 5 (27 rows, 132 columns) 222 IBM WebSphere Host On-Demand: Version 5 Enhancements

239 You may or may not want to specify custom templates for each screen size, but you can use the screen size context menu s snap to function to test your template with different screen sizes. See Figure 112 on page 225 to see what this menu looks like The template hierarchy When using Screen Customizer templates, it s very important to understand the hierarchy of customization that results in a particular screen s appearance. The template is really the court of last resort when it comes to a screen s appearance. We ve already seen how a magic template name can override all screens in an application. But that template is overridden if you specify the Template parameter in the HTML. So what happens next? A screen s appearance is determined by the following: 1. The default global template (sc_global.tpl, if it is present). 2. Any global template specified in the HTML (see Figure 111) and if specified will override sc_global.tpl. 3. If a template was specified in the studio when customizing an individual screen using the Screen ->Template Options... menu pull-down, then that template will be in effect. This is referred to as a "map-specified template." The template name to be used with the map is actually stored within the map file. 4. User preferences have lowest precedence. For instance, let's consider background color. If the user specifies the background to be blue, then it will be so only if the maps/templates also specify blue, or if they specify that colors are to be inherited (using the Inherit Color option on the color dialogs). Maps would inherit from templates, which would inherit from the user preferences, which would be blue. Note If you re customizing a screen and want to disable all template effects, click Test ->View with Different Template... to turn off the use of templates altogether Developing a Screen Customizer template To build a Screen Customizer Template, you can either start directly from the Studio (the default is to bring up a blank template) or from a Studio session brought up from the Administrator. If you re customizing a host screen, just use the File pull-down and choose the New Template option, or use the CTL+N key shortcut (new in Screen Customizer Version 2). Chapter 14. Screen Customizer 223

240 When you start with a fresh template, you ll see a layout like that in Figure 112 on page 225. There are several areas on this page: 1. A large area towards the upper left-hand corner of the screen reserved for the host session. This is labeled Host Screen Area in Figure 112 on page 225. Note You cannot customize the host screen section of the template. This is done by customizing individual screens with the Screen Customizer Studio. When creating a template, you will be allowed to place objects in this area, but they will be overlaid by any objects (default or customized) at that position in the screen area. 2. The rest of the screen area is a palette for you to control as you please. It is labeled Template Customization Area in Figure 112 on page 225. A template can be customized much like any host screen except for these attributes: - Get to the point settings. - Global Variable extensions. - Template options. - Tab order. The objects on the template (for example, a button) are considered outside of the screen s objects and therefore cannot be part of its tab order. - Tab-key controls. 3. You ll also have a context (pop-up) menu that can snap the host area of the template to various host screen sizes. This is labeled Screen Size Context Menu in Figure 112 on page 225 and the actual menu of screen sizes is shown. 224 IBM WebSphere Host On-Demand: Version 5 Enhancements

241 Figure 112. Creating a new template It s important to note that although you can t customize the host area on the template directly, you can move and resize the area. By default, using the left-hand mouse button will turn on the screen mover cursor and dragging the screen area while holding this button down will move it. Figure 113 on page 226 shows a default template that has been moved down and to the right, allowing room for more customization. Chapter 14. Screen Customizer 225

242 Figure 113. Moving the host area on a template Moving the host area is allowed (even encouraged!) since it allows for such activities as placing a banner image at the top of every customized screen that uses that template. This is a much more robust replacement for the add logo function in Screen Customizer Version Deployment Deploying an IBM Screen Customizer application takes planning Screen Customizer objects In order to understand how to coordinate development, testing and deployment of a Screen Customizer application, it is important to understand what components make this application. Strictly speaking, a Screen Customizer application is simply a set of files in a well-defined directory tree that uses naming standards understood by the Screen Customizer development and runtime applications. 226 IBM WebSphere Host On-Demand: Version 5 Enhancements

243 With the exception of the stand-alone installation of the Studio, Screen Customizer depends on Host On-Demand and will be installed within the directory structure created by installing that product. When a Screen Customizer application is developed or deployed, it is normally stored in the \custom directory in the main Host On-Demand directory tree by default. Within the \custom directory, there is a well-defined structure of directories and files that looks like this: Table 15. Screen Customizer directory and object structure Directory \map \img \lst \ps \ref \wsp \en (and \en\help) Contents Contains the screen.db (screen database) file, all screen maps (.scm files) and template files (.tpl files) Contains all graphics used by the application. Restricted to GIF (.gif) and JPEG (.jpg) files. Valid values lists Base screen data Reference files for field help and valid-value list Global customizations help information In the application development environment, this directory tree is located in the %HOSTONDEMAND%\LIB\CUSTOM folder (where %HOSTONDEMAND% is the root directory where the local copy of Host On-Demand was installed). And, by default, all objects created on that machine will be created in the \custom directory tree as illustrated above Testing the application Testing a Screen Customizer application is important for two reasons. First, it s important that all of the components work as intended in the environment in which they will be deployed in. Second, it is important that some usability testing be done so that the application truly meets the user s needs. Since a Screen Customizer application is deployed on a Web server, it lends itself very well to iterative testing with a small pilot group of motivated users. Changes can literally be made on the fly according to user feedback and this has been done in actual practice. The mechanics of Screen Customizer testing can be done on many levels: Chapter 14. Screen Customizer 227

244 The Administrator s workstation A stand-alone client A test server A test server with the Administrator and Studio code installed Each scenario has its unique needs. We won t cover these in great detail but the common links are: 1. Understanding of the file and directory structure that makes up a Screen Customizer application 2. How to use the Screen Customizer HTML parameters (specifically the subdir and template parameters) in server-based test scenarios Let s start with the first line of defense: testing on the developer s workstation. That s pretty simple, since all you need to do is reconfigure your session from Administrator to Client (see Figure 114 below) and run the session. Figure 114. Reconfiguring a Screen Customizer client for testing Next, it may be useful to test on a stand-alone client. It could be for a reality check because the user in question knows the host application very well or could be simply as a tentative first step before pilot deployment. 228 IBM WebSphere Host On-Demand: Version 5 Enhancements

245 Either way, you ll need to package up the files from your /custom directory and get it to the client. It s probably best to use a tool such as WinZip to package the files, possibly as a self-unpacking file Preparing the application for deployment When the Screen Customizer application is ready for productive use, it can be deployed in several ways, depending on how your Host On-Demand users are administered. If you have chosen the Host On-Demand registered user model, then Screen Customizer allows for little flexibility in deployment. Since all Host On-Demand users will enter (log on) through the same page, then all Screen Customizer data mscreen.dbst be put in one place, the \custom directory below the main \hod alias. Doing this will require that you: 1. Download the current screen.db file from the \custom directory. 2. Use the MergeDB process to combine it with the screen.db created during the creation of the new application. 3. Upload the new screen.db file and all the collateral files (individual screen maps, graphics, etc.) to their respective directories in the \custom. directory tree There is an alternative for Host On-Demand registered users. Sometimes it is necessary or desirable to: Segregate the Screen Customizer application from other applications. Provide different Screen Customizer applications (using the same host sessions) to different groups of users. For example, a company may wish to deploy different Screen Customizer applications to distinct groups of users, such as a call center, executives, or an extranet application. In this case, each group of users must enter Host On-Demand from a slightly different entry point. It is possible to modify the standard HOD.html or HODCached.html by adding the subdir (which was available in Screen Customizer Version 1) and/or template parameters (see , The global template on page 222). When doing this, a user will log on to Host On-Demand and all will appear normal except that sessions where Screen Customizer is enabled will use the parameters specified in the HTML Service Bundler A new utility has been added to the IBM Screen Customizer, the Service Bundler. This utility is available on all platforms where IBM Screen Chapter 14. Screen Customizer 229

246 Customizer is installed, whether a local installation or a server installation. The Service Bundler is run as a GUI on a Windows system and as a command line utility on other platforms Windows system On a Windows platform it is launched by clicking Start -> Programs -> IBM Screen Customizer -> Utilities -> Service Bundler. This launches an applet that displays the panel shown in Figure 115 to collect the necessary information. Figure 115. Screen Customizer Service Bundler You must specify the following information: Output File Specify the name of the output file without the extension. This is the file that you will send to IBM Service. Custom Directory The default directory structure is specified by default. Select an alternate directory if you are using the subdir parameter. Maps and Templates Check this box if you want to include maps and templates. If you select Maps and Templates, click either All or Selected to specify which maps and templates you want. If you click Selected, do one of the following: 230 IBM WebSphere Host On-Demand: Version 5 Enhancements

247 - Enter the name of the map or template - Click the Browse button to select them Images Check this box if you want to include image files. Help Files Check this box if you want to include help files. Valid-Values Files Check this box if you want to include valid-values files. Macros Check this box if you want to include macros. IPMonitor trace file Check this box if you want to include IPMonitor trace files. An IPMonitor trace file is generated when Service asks you to capture a Telnet data stream dump using the IPMonitor tool in Host On-Demand or Personal Communications. A Browse button is available to locate the desired file. HTML Files Check this box if you want to include all the HTML files in the root (publish) directory (for example, HODCustomAdmin.html and HODCustomClientBasic.html) Command line interface A command line interface is fully documented in the Getting Started document. make sure to refer to this document for any changes. For non-windows environments when running Screen Customizer on Host On-Demand, invoke the following from a command line (the example must be entered on a single line) from the hod publish directory (usually, <hod-installpath>\hod; a JRE is also required): <hod-installpath>\bin\jre -classpath.;\<hod-publish-dirctory>\;\<hod-installpath>\lib\rt.jar; \<hod-installpath>\lib\i18n.jar; com.ibm.hi.customizer.util.bundler.scbundler <options> Chapter 14. Screen Customizer 231

248 The options are shown in Table 16. Table 16. Service Bundler - command line parameters Parameter Description /? or /h print out the help message /o filename Specifies the name of the output file (default = scservice.zip) /d customdir Specifies an alternate custom directory name /a Include all file types, same as /m, /i, /p, /V, /c, /t, /f /m Include all maps and templates /i Include all images /p Include all field help files /v Include all valid-values files /c Include all macro files The output will be placed into the scervice.zip file Application programming interface IBM Screen Customizer Version 2 has been enhanced with the addition of a Custom Terminal Bean and a Screen Customizer Component Interface (SCCI). Together they constitute the IBM Screen Customizer API. This section will provide only an overview of the capabilities of the this API. The IBM Screen Customizer API allows user code, written in Java, to interact with Host On-Demand and IBM Screen Customizer. The code may be run as a IBM Screen Customizer applet or stand-alone Java application. The custom applet can be started from one of the following: A button click Get-to-the-Point During startup of the session: - If the session was configured to launch an applet at startup - If the applet was specified to auto launch via an HTML parameter. The IBM Screen Customizer programming interface requires the Host On-Demand Toolkit, and as such is only supported on the Windows environment. 232 IBM WebSphere Host On-Demand: Version 5 Enhancements

249 Custom Terminal Bean The Custom Terminal Bean is an extension of the Terminal Bean designed to closely interact with Screen Customizer. It encapsulates all Terminal Bean functionality. It allows users to programmatically interact with IBM Screen Customizer and to set/get current settings, such as font properties, code page, host, HTML parameters (such as customurl), current GUI components, etc. or invoke functions such as print screen, send keys, refresh and others. Note The Custom Terminal Bean will work only with IBM WebSphere Host On-Demand, not with IBM Personal Communications Manager Screen Customizer Component Interface (SCCI) SCCI is an API implemented by IBM Screen Customizer s GUI components. It was implemented to allow customers to add business logic to customized screens. It allow the customer to programmatically interact with the following components: Button Valid Values Button Checkbox Choicbox Frame HostList Image ImageButton Label List RadioButton Textfield WebLink A program using the power of Custom Terminal and SCCI could custom a tailor a session, further customize individual screen, auto-navigate through Chapter 14. Screen Customizer 233

250 Documentation screens, collect data, import data from external sources such as a JDBC database or a flat text file, simply log a user s session, and many other tasks. The IBM Screen Customizer documentation is installed in the Host On-Demand Toolkit directory structure. For illustration purposes we will assume that the Toolkit is installed in C:\Program Files\IBMHost Access Toolkit\ Custom Terminal documentation The documentation can be categorized into three types: 1. Reference material...\en\doc\beans\beanreference.html...\en\doc\beans\customterminal.html 2. Javadoc...\en\doc\beans\com.ibm.hi.customizer.beans.CustomTerminal.html...\en\doc\beans\\com.ibm.eNetwork.beans.HOD.HostTerminal.html 3. Sample programs...\toolkit\beans\samples\customterminaldemo\customterminaldemo.jav a...\toolkit\beans\samples\customterminaldemo\readme.txt SCCI documentation The documentation can be categorized into three types: 1. Reference material...\en\doc\beans\scci_reference.html 2. Javadoc...\en\doc\beans\packages.html...\en\doc\beans\Package-com.ibm.hi.customizer.beans.scci.thml...\en\doc\beans\com.ibm.eNetwork.HOD.HIFramework.html...\en\doc\beans\com.ibm.eNetwork.HOD.CustomInterface.html 3. Sample programs (all also use Custom Terminal)...\en\doc\beans\SCCI_helloWorld.html...\toolkit\scci\samples\SCCITestDriver\SCCITestDriver.java 234 IBM WebSphere Host On-Demand: Version 5 Enhancements

251 ...\toolkit\scci\samples\sccitestdriover\readme.txt...\toolkit\scci\samples\sclogicdemo\sclogicdemo.java...\toolkit\scci\samples\sclogicdemo\readme.txt Chapter 14. Screen Customizer 235

252 236 IBM WebSphere Host On-Demand: Version 5 Enhancements

253 Chapter 15. Deployment strategies Host On-Demand has grown from a simple TN3270-only applet into an emulator that can be deployed on a global enterprise level. Today s Host On-Demand can be used for employees inside the normal network infrastructure (intranet users), clients outside the normal network (extranet users) and even general-use customers coming in over the Internet. For more sophisticated users, the Host On-Demand API (HACL) can be used to construct either client-side programs (applets) or server-side programs (servlets) that bear no resemblance to the original terminal-based programs that serve as their base. This wide range of uses is possible because of the enormous flexibility provided by Host On-Demand s platform support, programming. and security models. This flexibility presents a large number of choices that can be intimidating when it comes to planning wide-scale deployment. However, deployment issues can usually be simplified to three fundamental issues: 1. Security needs 2. Base platform(s) for Host On-Demand servers 3. Administration model(s) used In this chapter, we advocate making these decisions with the goal of minimizing the additional administrative and support overhead that Host On-Demand may add to a company s current infrastructure and IT skill base. This chapter will look at the factors that affect these choices and why a particular choice (or choices) would be made. Finally, we will illustrate some deployment strategies with the use of some case studies based on customer scenarios Factors affecting deployment In general, a Host On-Demand deployment will be architected with these factors in mind: The nature of the user community will often determine the administrative model(s) used. The skill base and experience of the IT staff will often determine the hardware platform(s) used. The security needs required by the user community or sometimes by law. This can be an overriding factor in platform and/or administrative choice. Copyright IBM Corp

254 There are also other very real factors that have foundations within corporate organization. For example, in many companies, the hardware platform and deployment method can determine budgeting and charge back for a given software package. This is usually just an artifact of technological progression and purchasing decisions but nevertheless can make life difficult for Web-based software that runs on a user s PC and talks to a mainframe. In one case, deployment on OS/390 may make technical sense but the mainframe group may not want to take budgetary responsibility for what is viewed as a desktop application (an emulator). In another company, Host On-Demand is viewed as the responsibility of the Internet group since it is deployed from a Web server. In yet another company, Host On-Demand is an emulator and is deployed via a Web browser, both of which are considered desktop software, so the task and budget responsibility of deployment is charged to a desktop software group. The reality is that regardless of ownership, mainframe, Web or desktop, it takes a combination of these skills to deploy Host On-Demand. Connectivity to the mainframe may be as simple as asking for a Telnet server address or as complex as setting up a custom LU pool for extranet users. Setting up the Web server may be as simple as plug and go with a basic Microsoft Internet Information Server (IIS) setup on Windows NT, or it could involve setting up a robust never fail pair of AIX Web servers inside a DMZ for extranet Host On-Demand users User community There are three fundamental groups of Host On-Demand users: 1. Intranet -- users within the enterprise 2. Extranet -- often business partners or possibly customers 3. Internet -- users from the general public over the Internet The nature of the user community can dictate the administrative model(s) used to some degree. The larger the base user community, the less likely that one model will serve everybody, but the goal should be to keep the administrative tasks to a minimum A simple deployment example Let s look at a simplified example, a company with a large intranet population of casual users. The user population could theoretically be up to 5,000 people, but it s estimated that at a maximum only 20% of them will be using a host session at one time, and that number is falling as their mainframe systems are converted to a WebSphere application that can be accessed through a browser. Although the company s main business systems run on 238 IBM WebSphere Host On-Demand: Version 5 Enhancements

255 the mainframe, the vast majority of business workers do not directly access these systems. Because the company has switched from mainframe-based to Lotus Notes, most people only access the mainframe applications infrequently. There are small pockets of workers who use mainframe applications daily, but only at work. There is another small but very important group of users, the company s mainframe systems programmers, who need 24-hour, seven days a week (24x7), access to the mainframe. They will also need access to the company s systems from home, or possibly from remote locations, over a VPN or other secure connection. The simplest model to deploy in this case is one where access to the company s host systems is presented to most users as a Web page constructed by the Host On-Demand Deployment Wizard. The page is built so that the configuration server is not used and each user s customization modifications are stored locally. It s likely this will do for the vast majority of users. It can be distributed as a link in or added as a host access link to the company s intranet home page. The systems programmers are another class of user, however. These are clients who require extensive customization and the use of macros that they often use to perform repetitive system maintenance tasks. They are a small but important group of power users who will typically require a Host On-Demand registered user administrative model. By setting up the systems programmers as Host On-Demand registered users, they will be able to access their sessions from virtually any workstation inside the company, from a home computer (without installing special emulator software) or a corporate laptop. Regardless of where they access their sessions; however, all their sessions, customizations and macros will be available. Note If your users require the ability to customize their sessions and they need roaming capability -- the ability to log on from anywhere in the network -- then the Host On-Demand Registered User model is required. So for this company we end up with a mix of two distinct user groups and therefore two very different deployment models: 1. The casual or Intranet users access the mainframe from their desktop machines at work through a Web page created by the Host On-Demand Chapter 15. Deployment strategies 239

256 Deployment Wizard. These users need not be Host On-Demand registered users. 2. A smaller group of registered Host On-Demand users whose profile, including all macros and other customizations, are stored on the Host On-Demand server and who get the same access to corporate systems regardless of how or where their network access is provided. In this example above, we have a mix of intranet and extranet users. The deployment model for the extranet users is one where they are registered Host On-Demand users (one where they have a user ID and a password to log in to the Host On-Demand session manager). The Host On-Demand cached client was picked for all users in order to minimize: Startup time at the client (especially in dial-up situations). Load on the Web server used for Host On-Demand. Since Host On-Demand users download significant amounts of data only during the initial installation of the cached client or during a major upgrade, the traffic on the server is minimized. WAN traffic. Although bandwidth is not as scarce as it once was, it never makes sense to download something every day if it can be kept locally. So where did our company deploy Host On-Demand? It was decided that since the additional load would be minimal, they would add Host On-Demand to their OS/390 server. Their systems were relatively current (OS/390 V2R8) and this server was being prepared as the base for their current WebSphere development efforts User locations Today s businesses are becoming more and more global in nature. Even smaller regional businesses often need to communicate with business partners or suppliers from around the country if not around the world. Also, today s business world is very fluid; an environment where mergers and acquisitions are part of everyday life can result in some very interesting network campus arrangements. So, it is possible that geography can also play a large role in a Host On-Demand deployment strategy. In general, geography affects deployment in four ways: 1. Corporate campus groupings 2. WAN Links 3. Time zones 4. Country (language) considerations The first two factors are often interrelated. Many larger companies have grown through mergers and acquisitions, or they ve simply grown 240 IBM WebSphere Host On-Demand: Version 5 Enhancements

257 geographically as business has improved or the real estate market has changed. It s not unusual to find corporations spread across several major campuses that can span a country or countries. And often each campus is serviced by individual farms of distributed systems. For example, a company that has offices in Philadelphia, Chicago and San Francisco will likely use separate Windows NT domain servers for each. Furthermore, it s not unusual to see larger distributed platforms (for example UNIX and mainframe servers) at several locations as well, but not as many. For example, a company may have offices in five locations in various places in the United States, but only have two major data centers in two of them. So, given a company s geographical situation, how can that affect their deployment of Host On-Demand? First, the geographical dispersion of the Host On-Demand user community needs to be taken into account when estimating the server size or possible traffic added by Host On-Demand users. IBM performance testing has indicated that Host On-Demand adds more workload to a server under only two conditions: 1. When a registered user logs on. Using LDAP and native authentication will adds some additional overhead. 2. When a cached client does an initial download or downloads an update to the client. The componentization of Host On-Demand Version 5 should significantly reduce the download size of service updates after the initial cached client is installed. Refer to IBM Host Integration: A Practical Approach to Performance Planning, SG for details on Host On-Demand performance planning. The issue here is how the interactions between deployment choices and geography can impact Host On-Demand. In short, it s important to understand the geographical dispersion of users, since their use will skew the load on the Host On-Demand (and Telnet) server(s). For example, if a company is planning to support 3,000 total users, but they are spread across three time zones in four locations, it s likely the load on the server will be balanced across the times when the users arrive at work. Also, if the deployment choice is made to use a non-registered user model (similar to our earlier example), then the load on our server will be similar to that of a normal Web server Platform choices Host On-Demand server code was designed and written to be platform-neutral, needing little more than a standard Java runtime environment and a Web server to provide its function. And Host On-Demand Version 5 has not changed from that design goal. Chapter 15. Deployment strategies 241

258 However, with the introduction of such features as native authentication and express logon, the choice of server platform can be determined by the desire to use such features. With Host On-Demand, the choice of the server platform is made by a combination of factors. Let s examine some of them Available skill base In today s environment, there are very few IT organizations with time or people to spare. Sometimes an implementation decision must be made on a practical basis. For example, let s say a company has a large group of highly skilled UNIX systems workers in place to run their corporate Internet site. They have only a small number of OS/390 workers who run the mainframe system. The OS/390 system is tightly tuned and the OS/390 group has little extra time. In this case, it may make sense to deploy Host On-Demand on a UNIX platform, a relatively easy setup for this company s UNIX group and also a function that could be either piggybacked onto an existing intranet server or a stand-alone server. In short, it s important to look for a group that has the resources and skills available to run Host On-Demand. But it s also important to understand that this group coordinate its work with the OS/390 or AS/400 system administrators Security considerations Security can dictate platform choice for Host On-Demand. There are two general factors that can influence platform choice with security. First, and most common, is the use of Host On-Demand for extranet users. It is generally considered prudent security practice to avoid having a user with a direct Telnet connection from the Internet to a company s main systems. Given this rule, it is common practice to have a Host On-Demand server for extranet users running inside the company s DMZ rather than allow a direct Telnet connection from the Internet. This server will usually run on either an Intel-based server (Windows NT or Windows 2000) or a UNIX server. Even for a customer who will run Host On-Demand on a primary mainframe platform such as OS/390 or OS/400, security concerns will often dictate the use of a second (distributed) platform. Second, the use of SSL can also dictate the use of the base platform for Host On-Demand. All server platforms Host On-Demand support the use of SSL both for TN3270 encryption and for the serving of the applet s Web pages (HTTPS). The use of SSL can impose a significant load on a server and must 242 IBM WebSphere Host On-Demand: Version 5 Enhancements

259 be considered carefully. Again, we recommend IBM Host Integration: A Practical Approach to Performance Planning, SG for details on planning for SSL. Third, the use of Host On-Demand s native authentication can also dictate the server platform choice. Native authentication is dependent on the underlying operating system for validation of the user ID and password. If a company needs to validate Host On-Demand user IDs against RACF, that dictates deployment on an OS/390 platform. Conversely, if a company wants to validate against a Windows NT domain structure, this would dictate deployment on a Windows NT server platform. Since native authentication is a Host On-Demand registered user deployment model, both cases would dictate a careful review for the need of registered users Administrative choices This may be a review for some people, but with Host On-Demand Version 5, the administrator has significantly more control over both the delivery mechanism (cached vs. download) and the access method (registered vs. anonymous). The Deployment Wizard (see Chapter 6, Deployment Wizard on page 105) gives the Host On-Demand administrator the tool to deliver a customized flavor of the emulator as dictated by the needs of the business Registered vs. anonymous users Host On-Demand offers two basic user types: a registered user that must log on and an anonymous user that accesses a host session by browsing to a Web page containing a preconfigured session. In reality, there is a hybrid of the two as well that is enabled by new features in Host On-Demand Version 5. Host On-Demand administration was designed around the concept of groups and users. The administrator creates users, puts them into groups, and configures the terminal sessions necessary for either entity. But Host On-Demand users and groups were put in place as an administrative convenience; to enable roaming profiles and to easily push configurations to users through a browser. This technique allows deployment to all users, including environments that do not allow the local storage of information, such as the IBM Network Station. The Deployment Wizard offers an alternative to the Host On-Demand users and groups method of administration. It allows the production of highly customized HTML for targeted user groups. This HTML can be administered like any other Web page. For example, on some Web servers it is possible to set up an alias that would redirect the user to such a page. Chapter 15. Deployment strategies 243

260 It is possible to create a hybrid Web page, similar to the session1.html sample code that was delivered with Host On-Demand Version 4, by using the Deployment Wizard (see Figure 116). The HTML that is created here uses the registered user model of administration, except that it automatically logs the user on with a preconfigured user ID and password. The user is not prompted for a user ID and password, but they are logged on as a preconfigured ID. This hybrid user has some of the benefits of a normal registered user; they will see session changes that the administrator makes but will not be able to save their changes to the Host On-Demand server. A hybrid client can be configured so that they can save preferences (for example, colors, keyboard remapping, and macros). However, when the Deployment Wizard is used to create this type of client, individual user preferences will always be stored on the user s hard drive. Unlike the normal registered user, a hybrid user will not have true roaming capabilities. Figure 116. Creating a hybrid user with the Host On-Demand Deployment Wizard 244 IBM WebSphere Host On-Demand: Version 5 Enhancements

261 Cached vs. download client distribution Host On-Demand is designed to be downloaded on demand like any Web-based object. Three types of clients were defined: download, function on-demand and cached. As Host On-Demand has matured, the client sizes have grown with the introduction of additional function. Also, as customer usage patterns evolved it became evident that the cached client was the deployment model for the majority of customers. It was simpler to deploy one delivery model as opposed to dual models for extranet and intranet users. Also, the deployment of the cached client means that Host On-Demand does not add great amounts of network traffic above and beyond normal Telnet usage. This is important, since many customers have introduced corporate intranets and are adapting to the steadily growing use of browser-based technology. The decision on delivery model is fairly straightforward. Any regular extranet user (especially a dial-in user) should be using the cached client. And although the network traffic for a download client is minimal in today s Web-based world, the cached client is probably the delivery method of choice for most regular or occasional Host On-Demand users. Only the extremely casual user should be using the download client (the threshold for casual is up to the reader; this could mean once a month or once a year). And if so, it s probably best this type of user access a host session through a link created by the Deployment Wizard that will create a lean emulator with no customization abilities. The latter recommendation is made to keep help desk calls to a minimum. The more casual user will need a more consistent interface with fewer options that could disable or reconfigure the user interface of the emulator User preferences -- local vs. server storage One of the key features of the Host On-Demand registered user model is the ability to roam. Regardless of what system users use to access their Host On-Demand sessions, their personal settings are downloaded along with the information provided by the Host On-Demand session manager. Hybrid and anonymous users can also save their preferences (if they are configured to do so), but these are saved on the local drive. So the ability to roam is lost for hybrid and anonymous users. It is important to understand this trade-off when deciding between the different user models that Host On-Demand provides. If your users are in a one-to-one user-to-computer situation, then an anonymous or hybrid user model may serve their needs while reducing the need for Host On-Demand administration. In a situation where there is a shared workspace -- a call center, for example, where a computer may be used in shifts -- it may be Chapter 15. Deployment strategies 245

262 prudent to use a registered user model. This needs to be balanced against the need for a uniform appearance and feature set. In a high-turnover environment, it may be better to lock down or disable specific Host On-Demand features to reduce training and troubleshooting costs (refer to 5.3.3, Disabling emulator functions on page 84) Security requirements One of the most fundamental considerations in building a secure Host On-Demand environment is to remember its Web-based nature. Access to Host On-Demand is done through a Web page, and access to Web pages can be controlled by Web servers. Therefore, restricting access to the Host On-Demand Web pages is the first line of defense. The Host On-Demand user model is the second line of defense. The standard Host On-Demand user ID and password combination in the standard registered user model is for administrative reasons, to provide an identifier under which to store the user s preferences. This user ID and password is not intended to provide security. However, client authentication can be used to provide a high-security environment with standard PKI tools, and native authentication can be used to manage the user password in concert with an established security management framework (for example, RACF). The Telnet server is Host On-Demand s third line of defense for security. SSL can be used in order to prevent frame examination, and non-standard Telnet ports can and should be used to discourage discovery through port scans (for example, don t use port 23 for an SSL Telnet server). The IBM Communications Servers for AIX or Windows NT can encrypt the back-end SNA traffic for higher security. At its simplest form, Host On-Demand is simply a standard TN3270, TN5250 or VT client. That may be suitable for intranet use, but it s important to note that none of these standard terminal types (whether they are Host On-Demand or other software) are considered secure. TN3270, for example, passes all data in the clear. A simple frame trace of TN3270 traffic on a network is enough to recover data, user ID information, and even mainframe passwords. Host On-Demand was the first Telnet emulator to offer SSL encrypted 3270 or 5250 sessions, which would make a frame trace reconstruction of user data virtually impossible. This was offered with Host On-Demand Version 4. With the use of the Host On-Demand Redirector, it is even possible to encrypt VT sessions. So far, the type of SSL being discussed is server authentication, where the client authenticates the server as valid. Host On-Demand Version 4 also 246 IBM WebSphere Host On-Demand: Version 5 Enhancements

263 introduced the concept of client authentication, where a Host On-Demand client could not establish a session without a proper certificate. Host On-Demand Version 5 introduces additional functions that build on top of the SSL-enablement in Version 4, native authentication, express logon and Telnet-negotiated security. While these are not security functions, they build on the security already in Host On-Demand and can make a secure environment easier for the end user and the administrator. Here are the security functions available in Host On-Demand client: Delivery of the HTML, applets, and preferences via HTTPS. SSL--enabled host sessions (native TN3270, TN5250 or VT by use of the redirector). Client authentication (requires the user to have a digital certificate recognized by the Telnet server). Telnet-negotiated security, the ability to negotiate a secure connection over the same port as a non-secure Telnet session (see Chapter 10, Telnet-negotiated security on page 185). Express logon requires SSL session with client authentication, and automatically logs the user into the OS/390 host application without any additional prompts (see Chapter 9, Express logon on page 167). Native authentication (see Chapter 7, Native authentication on page 139). Each has certain infrastructure requirements that must be met. In deciding how much security is enough, the security needs must be balanced with the infrastructure and administrative requirements. For example, most companies would not have the requirement to use SSL--enabled Telnet sessions for general use within their enterprise (intranet). However, if there was a significant user community where encryption is required (for example, currency or securities trading applications), there are alternatives. For example, it is possible to allow the general population to use Host On-Demand unencrypted, while setting up a separate Telnet server for our high security group. Based on the IBM Communications Server for AIX or Windows NT, this secure Telnet server could serve the user community that requires secure communications. Additional security is possible by using the IBM cryptographic card on both the communications server and the mainframe, to form a secure (encrypted) SNA link. Using a separate Host On-Demand and/or Telnet server for high-security users is also a common solution for extranet and Internet environments. The security policies of many companies prohibit a direct connection from the Chapter 15. Deployment strategies 247

264 Internet to their mainframe business systems. These companies establish servers in a secure segment of their network called the DMZ that provides a buffer between the Internet and the operational systems inside. With Host On-Demand, the same security principles apply. So, a Host On-Demand server is set up inside the DMZ to serve extranet and internet users. Usually, this is an SSL-based (HTTPS) Web server. Access to this server is usually restricted by some form of logon; direct access without first being authenticated by a gateway server of some kind is rare. If a Host On-Demand server is placed within a DMZ, then a Telnet server is the next requirement. The placement of a Telnet server within a DMZ is one solution. If the Telnet server is SSL-enabled, it can be made secure. This is done by using a non-standard Telnet port, or using the new Telnet-negotiated security where only one Telnet port is required to be open through the firewall. and the server s back-end connection to the mainframe is SNA (SNA hacking from the Internet via TCP/IP is considered a low-risk item). As an alternative, Telnet traffic can also be redirected through the firewall via proxy servers, the Host On-Demand Redirector (only for low-volume traffic) or by using the Telnet proxy function of the IBM Communications Server for AIX. The final stop for Host On-Demand security is the target host itself. Generally, these are well-protected machines with highly evolved security mechanisms such as RACF. At this point, it is the user that becomes the weakest link in the chain. It is distinctly possible that in order to get to a host application, an extranet user may have to know: 1. A user ID and password to an external Web site. 2. A Host On-Demand user ID and password. 3. A RACF user ID and password. 4. In some cases, it s possible that users may even have to log on to individual applications. With this much security, simple hacking no longer becomes the primary threat. A user faced with this gauntlet is likely to record this information somewhere: a spreadsheet, a text file or even the famous yellow sticky on the display terminal or under the keyboard. The issue of security has been a focus item in Host On-Demand Version 4 and Version 5. It will be a continuing item of improvement in future releases of Host On-Demand, IBM communications products and operating systems. For example there are plans to introduce SmartCard support in addition to the current digital certificate support into a future release of Host On-Demand. 248 IBM WebSphere Host On-Demand: Version 5 Enhancements

265 15.2 Deployment scenarios This section illustrates WebSphere Host On-Demand deployment strategies by the use of a number of case studies. Each is based loosely on real-world business use of the product, but the names, certain business details and industries have been changed to disguise actual company identities. Some are composites or partial scenarios. and may illustrate only part of a Host On-Demand deployment (for example, a very large intranet or very secure extranet) in order to focus on a specific aspect of the deployment. Each scenario will have a brief description of the company, the targeted user community, the target Host On-Demand server platform(s), the LDAP platform(s) (if applicable) and the user security/preferences model(s) employed The call center This scenario is generic and will likely be deployed across multiple industries Company description A large financial services company runs several call centers in locations around the United States. These call centers are staffed 24 hours a day, 7 days a week and are open every day of the year. Employees use the company s mainframe applications to assist customers with their accounts and to help sell new services when possible. Each employee will have multiple host sessions open. The company has been using a traditional emulator with an SNA connection running on Windows 95, but is migrating to Windows As part of that migration, they are using as much browser-based technology as possible to help reduce the costs of loading and distributing software. This is also viewed as key to their disaster-recovery plan, so that if a call center site is lost to fire, flood, hurricane or other natural disaster, its infrastructure can be rebuilt as quickly as possible. By using a browser-based emulator, it is felt that the key functions of a call center employee could be restored quickly by most off-the-shelf computers should the need arise Target user community The call center has a high turnover rate. Because of this, consistency and ease of use is a concern. Both reduce the time it takes to train the constant stream of new employees and make the mainframe applications more approachable. Chapter 15. Deployment strategies 249

266 Host On-Demand deployment strategy The deployment strategy in this case was to use the OS/390 systems as the Host On-Demand server while using an anonymous user cached client model for the deployment mode. Several factors drove this decision. First, it was critical that employees have access to the company mainframe applications as close to 100% of the time as possible. The applications these employees used were the bread-and-butter of this company s business and if they could not be used, this company s income and customer service would be significantly impacted. It was also desirable that any solution dovetail into the disaster recovery plans that were in place for the data center and for the call centers. The next factor was usability. Call center management asked for policy implementation over the mainframe access so that all the applications had a consistent look and feel. It was felt this would help reduce support and training costs significantly. The previous fat client emulator had given the end user considerable freedom to customize the appearance of the mainframe application. This led to many issues with training since the appearance of the mainframe sessions would often vary from session to session (and from cubicle to cubicle). Furthermore, since call centers were open 24 hours per day, customization of the emulator (among other things) became a source of friction among employees. The decision to run Host On-Demand from the OS/390 server platform was made for several reasons. First was the elimination of a point of failure (a middle-tier Web server). Since OS/390 was the platform where the production applications operated, it was felt that if the mainframe were up, and the links to the mainframe were up, that this company s staff was competent to manage the small additional workload that Host On-Demand would add. Also, doing so would make a failover plan easier to implement. This company had a backup data center that could be brought online in case of a major disaster. Maintaining the Host On-Demand server on this system would mean one less item to worry about during the secondary cut-over process. The administrative model chosen was fairly simple. The Host On-Demand Deployment Wizard was used to create a Web page that would download the necessary cached client components for a 3270 session. The page would contain their defined session and would not allow them to make or save changes. Users would be directed to this Web page by setting Internet Explorer policy. Each workstation s browser home page was set when the user logged into the NT domain. The default home page had a link to the Host On-Demand page under Application Access. 250 IBM WebSphere Host On-Demand: Version 5 Enhancements

267 Financial services company This scenario, although described as a financial services type of deployment may also be used in the insurance industry or any other industry that has external users and strict security requirements Company description Another financial services firm wished to provide integration of their existing legacy host applications with a newer Web-based portal application they were developing for their brokers use. Brokers use these legacy applications to check trade status, etc. At the same time, it was deemed that as part of their efforts these application should be rejuvenated with a more modern Web based interface as well. In addition, if possible, they would like to provide a single sign-on solution to the legacy systems for these users as well Target user community The intended users of this application are the brokers in the various brokerage sites and remote offices Host On-Demand Deployment Strategy The deployment strategy in this case focused around several key areas. Host On-Demand with IBM Screen Customizer was chosen to present a more modern graphical interface for the brokers. Since the firm did not have access to the core portal application servers, they chose to deploy Host On-Demand in a redundant manner at two primary sites. Deployment was to AIX Web Servers since their normal operating environment was UNIX based. On the back end, Communications Server for AIX was deployed due to its ability to support secure end-to-end SSL Telnet sessions between the Host On-Demand/Screen Customizer client and the target host system. These servers were distributed across two physically separate sites for redundancy purposes and load balanced using the service location protocol (SLP) supported by Host On-Demand and Communications Server for AIX. Refer to IBM SecureWay Host On-Demand 4.0: Enterprise Communications in the Era of Network Computing, SC for a complete description of SLP. IBM Screen Customizer was deployed together with the Host On-Demand client. The Host On-Demand/IBM Screen Customizer client was built using the Deployment Wizard utility to create a customized HTML page that provided for the session to be run embedded, not external to the browser frame. This allowed the session to be embedded into the existing portal application as a framed page. In addition, since the company did not wish to be responsible for maintenance of additional user IDs and passwords, local preference saving was enabled through the Deployment Wizard and directed to be stored on the client workstation. Using the Deployment Wizard a thin Chapter 15. Deployment strategies 251

268 client was deployed, containing only the functions required by the brokers. The resultant Screen Customizer session was added as a link in the main portal application. Considerations for extensions include the desire for a single sign-on capability to be added to the host systems. The users are currently authenticated at the main portal page and they would like this authentication to be passed through to the host system, eliminating a logon the user must perform. Using the Express Logon Feature together with RACF certificates to automate the login process for the users is planned for the next phase Basic intranet This scenario could be applied to many customers and industries. It is the typical way most companies approach their initial deployment of Host On-Demand and IBM Screen Customizer Company description The company runs a centralized MVS system. Years ago they deployed emulator clients to all their workstations. However, their business is moving more toward an e-business model and they look to access their applications with Web technologies. They have decided to deploy an easier to manage TN3270 based emulator client to all their users and to add a graphical front end to many of these user to improve their productivity and pave the way for future applications planned for several years hence. They view Host On-Demand as a replacement for that old emulator they are now using. They also look toward IBM Screen Customizer to revitalize that old interface and bring the application closer to an e-business model of Web browser look and feel Target user community There are several groups of users: Clerks that process business all day and stay in a given application set. Their job is well defined. This group of users experiences periodically high turnover rates and views an interface that is more intuitive as highly productive. Programmers and systems programmers that are very familiar and efficient with the standard emulator interface. These users will use the standard interface initially to preserve their productivity. Mobile users, such as managers and on-call personnel. These users will be coming in over slower speed dial-up lines initially, until they can establish an Internet infrastructure. 252 IBM WebSphere Host On-Demand: Version 5 Enhancements

269 Host On-Demand deployment strategy The customer has decided that they have excellent backup/recovery and availability with their existing MVS system and decide to deploy Host On-Demand on that platform to take advantage of those attributes. Because they have a one-for-one ratio of workstations to personnel per shift they elected to use an anonymous user model and avoid the administrative overhead of managing users IDs and passwords. They elected to use the Deployment Wizard to create small efficient clients, loading only the components most frequently used by the user. Should other functions be required they will allow them to be downloaded dynamically from the server. This avoids having to load a large client on every workstation initially. In addition it also provides them an automated distribution of software when a new function is required or is available. Since they previously used IBM Personal Communications Manager it was decided that the session definitions used with Personal Communications Manager would be imported by each user to define the required session. Initially their dial-in support would be over a private network managed by the company so that security would not be an issue. However, they realized that eventually they would have to address the issue of security, so they made plans to upgrade their MVS system to OS/390 V2R10 at the earliest opportunity and to plan to implement the TLS-negotiated security capability of CS/390 and native authentication. Chapter 15. Deployment strategies 253

270 254 IBM WebSphere Host On-Demand: Version 5 Enhancements

271 Chapter 16. System/390 as a Host On-Demand server New security options have been introduced into Host On-Demand Version 5 for OS/390 customers: Express logon uses digital certificates to provide user access OS/390 applications. Native authentication allows the Host On-Demand administrator to use RACF to manage and validate passwords, thus providing the user with one less password to remember. Telnet-negotiated security is a method of providing secure Telnet sessions without having to dedicate a secure port for SSL-enabled sessions, thus reducing the complexity of the management of the environment Express logon The Express Logon Feature was introduced in CS/390 V2R10. It is a three-tiered architecture at the time of the writing of this redbook. It provides a methodology for authenticating a user via a digital certificate, then using the certificate along with a macro to automatically log the user into a supported application by simply providing the password to the digital certificate. No other prompts for user IDs or passwords will be displayed to the user. Refer to Chapter 9, Express logon on page 167 for a complete description of the requirements for this function, how it works, and how to enable it Native authentication If the Host On-Demand server is installed on the OS/390 system, native authentication is a facility that will reduce by one the number of passwords that the user must remember, and significantly reduce the workload on the Host On-Demand administrator by delegating password management to RACF. For a complete discussion of native authentication on all platforms refer to Chapter 7, Native authentication on page 139. For details specifically on OS/390 refer to 7.2.2, OS/390 on page Telnet-negotiated security Telnet-negotiated security is supported directly between the Host On-Demand client and CS/390 V2R10, or higher. No interim Telnet servers are allowed, unless they operate in passthrough mode. Refer to Chapter 10, Copyright IBM Corp

272 Telnet-negotiated security on page 185 for details on the operation of Telnet-negotiated security. 256 IBM WebSphere Host On-Demand: Version 5 Enhancements

273 Appendix A. Keyboard mappings This appendix consists of tables containing the keyboard mappings for Host On-Demand Version 5. Blank cells indicate that there is no key sequence defined, while a greyed cell indicates an invalid option. For example, in Table 17, no default key sequence is defined for the Beginning of Field function in a 3270 session; therefore, that cell is blank. Beginning of Field is not a valid command for 5250 and VT100 sessions; therefore, the cells for these options are greyed out. Table 17. Keyboard mapping ordered by host function Host Function VT Alternate Cursor Attention Backspace Backspace Backspace Backspace Backtab Shift+Tab Shift+Tab Beginning of Field Clear Escape Escape Escape Clear Pause Pause Pause Cursor Down Down Down Down Cursor Left Left Left Left Cursor Right Right Right Right Cursor Up Up Up Up Do Shift+F4 Dup Field Delete Character Delete Delete End of Field End End Enter Ctrl Ctrl Enter Enter Enter Enter Erase Field Erase Input Erase End of Field Copyright IBM Corp

274 Host Function VT Field Exit Ctrl+Enter Field Mark Shift+Home Shift+Home Field Minus Field Plus Find End Graphic Cursor Alt+F12 Help Shift+F3 Home Home Home Host Print Ctrl+Cancel Insert Insert Insert Insert Mark Down Shift+Down Shift+Down Shift+Down Mark Left Shift+Left Shift+Left Shift+Left Mark Right Shift+Right Shift+Right Shift+Right Mark Up Shift+Up Shift+Up Shift+Up Move Trim Box Down Ctrl+Down Ctrl+Down Ctrl+Down Move Trim Box Left Ctrl+Left Ctrl+Left Ctrl+Left Move Trim Box Right Ctrl+Right Ctrl+Right Ctrl+Right Move Trim Box Up Ctrl+Up Ctrl+Up Ctrl+Up New Line Shift+Enter Nextscreen Page Down PA1 PA2 PA3 PF1 F1 F1 F1 PF2 F2 F2 F2 PF3 F3 F3 F3 PF4 F4 F4 F4 PF5 F5 F5 F5 258 IBM WebSphere Host On-Demand: Version 5 Enhancements

275 Host Function VT PF6 F6 F6 F6 PF7 F7 F7 F7 PF8 F8 F8 F8 PF9 F9 F9 F9 PF10 F10 F10 F10 PF11 F11 F11 F11 PF12 F12 F12 F12 PF13 Shift+F1 Shift+F1 Shift+F1 PF14 Shift+F2 Shift+F2 Shift+F2 PF15 Shift+F3 Shift+F3 Shift+F3 PF16 Shift+F4 Shift+F4 PF17 Shift+F5 Shift+F5 Shift+F5 PF18 Shift+F6 Shift+F6 Shift+F6 PF19 Shift+F7 Shift+F7 Shift+F7 PF20 Shift+F8 Shift+F8 Shift+F8 PF21 Shift+F9 Shift+F9 Shift+F9 PF22 Shift+F10 Shift+F10 Shift+F10 PF23 Shift+F111 Shift+F111 Shift+F11 PF24 Shift+F12 Shift+F12 Shift+F12 Page Down Page Down Page Down Page Up Page Up Page Up PrevScreen Remove Page Up Delete Reset Rule Ctrl+Home Ctrl+Home Ctrl+Home Select Home System Request Tab Field Tab Tab Tab Appendix A. Keyboard mappings 259

276 Host Function VT Test Request Ctrl+F12 Unmark Shift+Escape Shift+Escape Shift+Escape Table 18. Keyboard mapping ordered by key functions Menu Command VT About Host On-Demand Clear Fields Color Connect Contents Copy Ctrl+C Ctrl+C Ctrl+Insert Copy Ctrl+Insert Ctrl+Insert Copy Append Cut Ctrl+X Ctrl+X Cut Shift+Delete Shift+Delete Disconnect Display Edit Exit Ctrl+Q Ctrl+Q File Transfer Defaults Index Ctrl+H Ctrl+H Jumpnext Ctrl+Page Up Ctrl+Page Up Ctrl+Page Up Jumpnext Ctrl+J Ctrl+J Keyboard Keypad Light Pen Mode Macro Manager Numeric Field Lock 260 IBM WebSphere Host On-Demand: Version 5 Enhancements

277 Menu Command VT Paste Shift+Insert Shift+Insert Shift+Insert Paste Ctrl+V Ctrl+V Pause Macro Play Macro Ctrl+M Ctrl+M Print Screen Ctrl+Page Up Ctrl+P Receive Files from Host Ctrl+R Ctrl+R Record Macro Run Applet Ctrl+U Ctrl+U Run the Same Security Select all Ctrl+A Ctrl+A Send Files to Host Ctrl+S Ctrl+S Status Bar Stop Macro Support Toolbar Toolbar Text Unmark Table 19. Keyboard mapping ordered by key sequence VT Command Alt+F12 Graphic Cursor Backspace Backspace Backspace Backspace Ctrl Ctrl Enter Enter Ctrl+A Ctrl+A Select all Ctrl+C Ctrl+C Ctrl+Insert Copy Ctrl+Cancel Host Print Ctrl+Down Ctrl+Down Ctrl+Down Move Trim Box Down Appendix A. Keyboard mappings 261

278 VT Command Ctrl+Enter Ctrl+F12 Field Exit Test Request Ctrl+H Ctrl+H Index Ctrl+Home Ctrl+Home Ctrl+Home Rule Ctrl+Insert Ctrl+Insert Copy Ctrl+J Ctrl+J Jumpnext Ctrl+Left Ctrl+Left Ctrl+Left Move Trim Box Left Ctrl+M Ctrl+M Play Macro Ctrl+Page Up Ctrl+Page Up Ctrl+Page Up Jumpnext Ctrl+Page Up Ctrl+P Print Screen Ctrl+Q Ctrl+Q Exit Ctrl+R Ctrl+R Receive Host Files Ctrl+Right Ctrl+Right Ctrl+Right Move Trim Box Right Ctrl+S Ctrl+S Send Files to Host Ctrl+U Ctrl+U Run Applet Ctrl+Up Ctrl+Up Ctrl+Up Move Trim Box Up Ctrl+V Ctrl+V Paste Ctrl+X Ctrl+X Cut Delete Delete Delete Character Delete Remove End End End of Field End Find Enter Enter Enter Enter Escape Escape Escape Clear F1 F1 F1 PF1 F2 F2 F2 PF2 F3 F3 F3 PF3 F4 F4 F4 PF4 262 IBM WebSphere Host On-Demand: Version 5 Enhancements

279 VT Command F5 F5 F5 PF5 F6 F6 F6 PF6 F7 F7 F7 PF7 F8 F8 F8 PF8 F9 F9 F9 PF9 F10 F10 F10 PF10 F11 F11 F11 PF11 F12 F12 F12 PF12 Home Home Home Home Select Insert Insert Insert Insert Left Left Left Cursor Left Page Down Page Down Page Down Page Down Nextscreen Page Up Page Up Page Up Page Up PrevScreen Pause Pause Pause Clear Right Right Right Cursor Right Shift+Delete Shift+Delete Cut Shift+Down Shift+Down Shift+Down Mark Down Shift+Enter New Line Shift+Escape Shift+Escape Shift+Escape Unmark Shift+F1 Shift+F1 Shift+F1 PF13 Shift+F2 Shift+F2 Shift+F2 PF14 Shift+F3 Shift+F3 Shift+F3 PF15 Shift+F3 Help Shift+F4 Shift+F4 Shift+F4 PF16 Shift+F4 Do Appendix A. Keyboard mappings 263

280 VT Command Shift+F5 Shift+F5 Shift+F5 PF17 Shift+F6 Shift+F6 Shift+F6 PF18 Shift+F7 Shift+F7 Shift+F7 PF19 Shift+F8 Shift+F8 Shift+F8 PF20 Shift+F9 Shift+F9 Shift+F9 PF21 Shift+F10 Shift+F10 Shift+F10 PF22 Shift+F11 Shift+F111 Shift+F11 PF23 Shift+F12 Shift+F12 Shift+F12 PF24 Shift+Home Shift+Home Field Mark Shift+Insert Shift+Insert Shift+Insert Paste Shift+Left Shift+Left Shift+Left Mark Left Shift+Right Shift+Right Shift+Right Mark Right Shift+Tab Shift+Tab Backtab Shift+Up Shift+Up Shift+Up Mark Up Tab Tab Tab Tab Field Up Up Up Cursor Up About Host On-Demand Alternate Cursor Attention Beginning of Field Clear Fields Color Connect Contents Copy Append Disconnect Display Dup Field 264 IBM WebSphere Host On-Demand: Version 5 Enhancements

281 VT Command Edit Erase Field Erase Input Erase to End of Field Field Minus Field Plus File Transfer Defaults Keyboard Keypad Light Pen Mode Macro Manager Numeric Field Lock PA1 PA2 PA3 Pause Macro Record Macro Reset Run the Same Security Status Bar Stop Macro Support System Request Toolbar Toolbar Text Unmark Appendix A. Keyboard mappings 265

282 266 IBM WebSphere Host On-Demand: Version 5 Enhancements

283 Appendix B. Sample session configuration file The various sections of the session configuration file are identified with a label in brackets([]). The session s configuration file starts with the macro [MACRO-ehone]. This macro was recorded when defining the session and will automatically be played when this session is initialized. Next, you will find any keyboard remaps, [KeyRemap], you recorded for this session. This session configuration file uses a German code page, and Attention has been assigned to the Escape key. Further into the file is the start of the terminal parameters that are used to set up the terminal session [Terminal]. At the end of the configuration file is the description of the session s window, [Icon] section, representing either the default settings or (if you started the session from the Deployment Wizard s Host Sessions window) the settings active at the time you closed that window. These settings include, for example, the size (framewidth and frameheight) and position (framexpos and frameypos) of the session window. [MACRO_ehone] macroname=ehone macrodescription=logon to ehone code=<hascript name="ehone" description="logon to ehone" timeout="60000" pausetime="300" promptall="true" author="" creationdate="" supressclearevents="false" >^~^~ <screen name="screen1" entryscreen="true" exitscreen="false" transient="false">^~ <description>^~ <oia status="notinhibited" optional="false" invertmatch="false" />^~ </ description>^~ <actions>^~ <input value="ehone [enter]" row="0" col="0" movecursor="true" xlatehostkeys="true" encrypted="false" />^~ </actions>^~ <nextscreens timeout="0" >^~ <nextscreen name="screen2" />^~ </nextscreens>^~ </screen>^~^~ <screen name="screen2" entryscreen="false" exitscreen="true" transient="false">^~ <description>^~ <oia status="notinhibited" optional="false" invertmatch="false" />^~ <numfields number="4" optional="false" invertmatch="false" />^~ <numinputfields number="1" optional="false" invertmatch="false" />^~ </description>^~ <actions>^~ <prompt name="password" description="" row="23" col="1" len="139" default="pt0810ld" clearfield="false" encrypted="true" movecursor="false" xlatehostkeys="false" />^~ <input value="[enter]" row="0" col="0" movecursor="true" xlatehostkeys="true" encrypted="false" />^~ </actions>^~ <nextscreens timeout="0" >^~ </nextscreens>^~ </screen>^~^~</hascript>^~ [KeyRemap] sessiontype=1 codepage=1141 Copyright IBM Corp

284 B27=[attn] autoapply=false [Terminal] LUMPort=80 fontnameadmin=false SLPThisScopeOnly=false symmetricswapenabled=true VTLocalEcho=false sessionnameadmin=false servicemgrhost= SSLCertificateRemembered=true cursordirection=cursor_lefttoright numericswapenabled=true sessiontype=1 TNEnhancedAdmin=false textorientation=lefttoright autopack=false autoconnectadmin=false pastestopatprotectedline=false LUNameAdmin=false SLPMaxWaitTimeAdmin=false pastefieldwrap=false codepage=1141 hostadmin=false SSLCertificateRememberedAdmin=false VTCursor=false lightpenmode=false workstationid= cursorvisible=true texttype=visual lightpenmodeadmin=false screensizeadmin=false 3DAdmin=false fontname=ibm3270 SSLTelnetNegotiatedAdmin=false rule=false SSLCertificateProvided=false LUMLicensing=HOD printfilename= SLPScopeAdmin=false VTNewLine=true autoconnect=true TNEnhanced=true fontsize= IBM WebSphere Host On-Demand: Version 5 Enhancements

285 texttypedisp=logical_disp DBCSInputVisible=false pastetabspaces=1 SSLServerAuthentication=false SSLServerAuthenticationAdmin=false blockcursor=true 3D=true numeralshapeadmin=false OIAVisible=true OIAVisibleAdmin=false SSLCertificateURLAdmin=false separatefiles=false LUMServer= SSLCertificateURL= HistorySize=64 numeralshape=nominal VTAnswerBackMsg= screensize=2 SLPScope= textorientationadmin=false autoreconnect=true LUName= trimrectremainafteredit=false mouseenabled=true fontstyle=0 SSLCertificatePassword= CICSServerName= printername=lpt1 VTTerminalType=1 pastetotrimmedarea=false SLPEnabled=false ThaiDisplayModeAdmin=false host=tn3270.de.ibm.com port=23 numericfieldlock=false portadmin=false codepagekey=key_germany_euro sessionname= SSLTelnetNegotiated=false VTAutowrap=false pastelinewrap=false VTBackspace=false pastetaboptions=2 SLPMaxWaitTime=200 VTKeypad=false Appendix B. Sample session configuration file 269

286 History=true SLPThisScopeOnlyAdmin=false SSL=false SLPAS400Name= trimrectsizinghandles=true graphicscellsize=0 sessionid=a ENPTUI=false SSLAdmin=false codepageadmin=false hostgraphics=false copyonlyiftrimmed=false fontsizebounded=true accessibilityenabled=false printdestination=true graphicscellsizeadmin=false SLPEnabledAdmin=false VTReverseScreen=false ThaiDisplayMode=5 hostgraphicsadmin=false blockcursoradmin=false SSLCertificatePrompted=false fontstyleadmin=false autoreconnectadmin=false centered=true pastetabcolumns=1 numeralshapedisp=contextual_disp BIDIMode=BIDIMODEON CICSGWCodePage=000 SSLCertificateProvidedAdmin=false autofontsize=true texttypeadmin=false [Icon] selectedimage=3270_s.gif EmbeddedAdmin=false keypadvisibleadmin=false autostartnameadmin=false buttontextvisible=true buttontextvisibleadmin=false startupapplet= Default=false macromanagervisibleadmin=false autostartname= RequestedID=* 270 IBM WebSphere Host On-Demand: Version 5 Enhancements

287 unselectedimage=3270.gif guiselectedadmin=false buttonbarvisible=true Embedded=false frameypos=206 associatedprintersessionadmin=false interface=com.ibm.enetwork.hod.icons.icon3270 macromanagervisible=true autostartadmin=false framewidth=610 startupmacro= buttonadminbarvisible=true autolaunch=true guiemulation=false autostart=none name= autolaunchadmin=false guiemulationadmin=false statusbarvisible=true framexpos=228 keypadvisible=false frameheight=436 RequestedIDAdmin=false statusbarvisibleadmin=false associatedprintersession= buttonbarvisibleadmin=false Appendix B. Sample session configuration file 271

288 272 IBM WebSphere Host On-Demand: Version 5 Enhancements

289 Appendix C. Problem determination Below are some common problem determination procedures and examples. C.1 Enabling IPMonitor IPMonitor (IPMON) can provide valuable information for the IBM support team and your technical specialists when debugging a problem. However, before IPMonitor will work with Host On-Demand Version 5, you must modify the debug HTML file. In the file, find the line that starts with param name=preloadcomponentlist and add HAIPMON to the end. The end of the line should then look like this: "...HODHLL;HODCFG;HAIPMON>" Once you have modified the file, the user can start the Host On-Demand terminal emulator session and then click Assist > Run Applet, and for the applet enter: com.ibm.enetwork.hod.util.ipmonitor.ipmonitor just like Host On- Demand 4.0. C.2 LDAP configuration There are several things that can go wrong in configuring both the LDAP directory server and enabling Host On-Demand to use the LDAP server. The following tips should be helpful: These following restrictions are scheduled to be lifted in Version 5.03: - You must have localhost defined as an alias on the LDAP server. - The host name in the Host On-Demand directory services panel must be resolvable to an IP address. - The IP address in the Host On-Demand directory services panel must be resolvable to a host name. If you are using an LDAP directory server on OS/390, refer to OS/390 Security Server Updates, SG , Chapter 5, LDAP Server. This chapter walks you through setting up the LDAP server and discusses the issues of working with Host On-Demand. Copyright IBM Corp

290 C.3 Sample TLS-negotiated traces The following are samples of Host On-Demand Level 3 trace taken of a successful and unsuccessful Telnet-negotiated session. The output has been reformatted to fit this document. C.3.1 Successful negotiation 6@0@02/09/ :20:05:083@null@err@ECL0037: Server :23 does not support Telnet-negotiated security. 4@0@02/09/ :21:43:975@Transport@A@---TN3270 : open() processing started. 4@1@02/09/ :21:43:985@Transport@A@---TN3270 : DNS randomize host name = , TN3270 ::tel_init() 4@2@02/09/ :21:43:995@Transport@A@---TN3270 : initialize() non-ssl socket created. 4@3@02/09/ :21:44:085@Transport@A@---TN3270 : Connected to , port = 6623, TN3270 ::tel_init() 4@4@02/09/ :21:44:145@Transport@A@---TN3270 : execute() Entry. 4@5@02/09/ :21:44:155@Transport@A@-->TN3270 : Outbound Data Received: length = 3, TN3270 ::read_instream() 4@6@02/09/ :21:44:155@Transport@A@-->TN3270 : <. > 4@7@02/09/ :21:44:155@Transport@A@ High = FF2 4@8@02/09/ :21:44:155@Transport@A@ Low = FDE 4@9@02/09/ :21:44:155@Transport@A@Receive_data count is 3, TN3270 ::receive_data() 4@10@02/09/ :21:44:155@Transport@A@<--TN3270 : Response CMD = WILL OPT = STARTTLS 4@11@02/09/ :21:44:155@Transport@A@<--TN3270 : Inbound Data Sent: length = 3, TN3270 ::senddata() 4@12@02/09/ :21:44:155@Transport@A@<--TN3270 : <. > 4@13@02/09/ :21:44:155@Transport@A@ High = FF2 4@14@02/09/ :21:44:155@Transport@A@ Low = FBE 4@15@02/09/ :21:44:155@Transport@A@-->TN3270 : Negotiate CMD = DO OPT = STARTTLS 4@16@02/09/ :21:44:155@Transport@A@<--TN3270 : Response IAC SB STARTTLS FOLLOWS IAC SE 4@17@02/09/ :21:44:155@Transport@A@<--TN3270 : Inbound Data Sent: length = 6, TN3270 ::senddata() 4@18@02/09/ :21:44:155@Transport@A@<--TN3270 : <. 0> 4@19@02/09/ :21:44:155@Transport@A@ High = FF20FF 4@20@02/09/ :21:44:155@Transport@A@ Low = FAE1F0 4@21@02/09/ :21:44:155@Transport@A@---TN3270 : Telnet.sendFollows() Do not respond to any more telnet flows until session is secure 4@22@02/09/ :21:44:155@Transport@A@---TN3270 : execute() Exit. 4@23@02/09/ :21:44:396@Transport@A@---TN3270 : execute() Entry. 274 IBM WebSphere Host On-Demand: Version 5 Enhancements

291 : Outbound Data Received: length = 6, TN3270 ::read_instream() 4@25@02/09/ :21:44:396@Transport@A@-->TN3270 : <. 0> 4@26@02/09/ :21:44:396@Transport@A@ High = FF20FF 4@27@02/09/ :21:44:396@Transport@A@ Low = FAE1F0 4@28@02/09/ :21:44:396@Transport@A@Receive_data count is 6, TN3270 ::receive_data() 4@29@02/09/ :21:44:396@Transport@A@<--TN3270 : Process_SB_STARTTLS_FOLLOWS()TN3270 Start SSL to secure the Telnet Socket 4@30@02/09/ :21:44:396@Transport@A@---TN3270 : securesocket() start SSL on existing NT connection 6@1@02/09/ :21:49:984@null@err@ECL0008: Could not create a secure connection to server " :6623". 4@31@02/09/ :21:50:004@Transport@A@---TN3270 [4]: Failed to securely connect to host , port = 6623, TN3270 ::securesocket() 4@32@02/09/ :21:50:004@Transport@A@---TN3270 : execute() Exit. 4@33@02/09/ :21:50:014@Transport@A@available() threw exception.message-socket closed,exception-java.net.socketexception: Socket closed 4@34@02/09/ :21:50:014@Transport@A@---TN3270 : execute() Entry. 4@35@02/09/ :21:50:014@Transport@A@---TN3270 : Exception 2, TN3270 ::needtorun() 4@36@02/09/ :21:50:014@Transport@A@---TN3270 : execute()exception not null and count<0. 4@37@02/09/ :21:50:014@Transport@A@---TN3270 : execute() Call terminate(). 4@38@02/09/ :21:50:014@Transport@A@---TN3270 : syncterminate() Entry. 4@39@02/09/ :21:50:014@Transport@A@---TN3270 : Begin session termination., TN3270 ::tel_disc() 4@40@02/09/ :21:50:084@Transport@A@---TN3270 : open() processing started. 4@41@02/09/ :21:50:084@Transport@A@---TN3270 : DNS randomize host name = , TN3270 ::tel_init() 4@42@02/09/ :21:50:094@Transport@A@---TN3270 : initialize() non-ssl socket created. 4@43@02/09/ :21:50:104@Transport@A@---TN3270 : Connected to , port = 6623, TN3270 ::tel_init() 4@44@02/09/ :21:50:104@Transport@A@---TN3270 : execute() Exit. 4@45@02/09/ :21:50:164@Transport@A@---TN3270 : execute() Entry. 4@46@02/09/ :21:50:164@Transport@A@-->TN3270 : Outbound Data Received: length = 3, TN3270 ::read_instream() 4@47@02/09/ :21:50:164@Transport@A@-->TN3270 : <. > 4@48@02/09/ :21:50:164@Transport@A@ High = FF2 4@49@02/09/ :21:50:164@Transport@A@ Low = FDE 4@50@02/09/ :21:50:164@Transport@A@Receive_data count is 3, TN3270 ::receive_data() 4@51@02/09/ :21:50:164@Transport@A@<--TN3270 : Response CMD = WILL OPT = STARTTLS Appendix C. Problem determination 275

292 : Inbound Data Sent: length = 3, TN3270 ::senddata() 4@53@02/09/ :21:50:164@Transport@A@<--TN3270 : <. > 4@54@02/09/ :21:50:164@Transport@A@ High = FF2 4@55@02/09/ :21:50:164@Transport@A@ Low = FBE 4@56@02/09/ :21:50:164@Transport@A@-->TN3270 : Negotiate CMD = DO OPT = STARTTLS 4@57@02/09/ :21:50:164@Transport@A@<--TN3270 : Response IAC SB STARTTLS FOLLOWS IAC SE 4@58@02/09/ :21:50:164@Transport@A@<--TN3270 : Inbound Data Sent: length = 6, TN3270 ::senddata() 4@59@02/09/ :21:50:164@Transport@A@<--TN3270 : <. 0> 4@60@02/09/ :21:50:164@Transport@A@ High = FF20FF 4@61@02/09/ :21:50:164@Transport@A@ Low = FAE1F0 4@62@02/09/ :21:50:164@Transport@A@---TN3270 : Telnet.sendFollows() Do not respond to any more telnet flows until session is secure 4@63@02/09/ :21:50:164@Transport@A@---TN3270 : execute() Exit. 4@64@02/09/ :21:50:464@Transport@A@---TN3270 : execute() Entry. 4@65@02/09/ :21:50:464@Transport@A@-->TN3270 : Outbound Data Received: length = 6, TN3270 ::read_instream() 4@66@02/09/ :21:50:464@Transport@A@-->TN3270 : <. 0> 4@67@02/09/ :21:50:464@Transport@A@ High = FF20FF 4@68@02/09/ :21:50:464@Transport@A@ Low = FAE1F0 4@69@02/09/ :21:50:464@Transport@A@Receive_data count is 6, TN3270 ::receive_data() 4@70@02/09/ :21:50:464@Transport@A@<--TN3270 : Process_SB_STARTTLS_FOLLOWS()TN3270 Start SSL to secure the Telnet Socket 4@71@02/09/ :21:50:464@Transport@A@---TN3270 : securesocket() start SSL on existing NT connection 4@72@02/09/ :21:50:945@Transport@A@---TN3270 : securesocket() SSL socket created. 6@2@02/09/ :21:50:955@null@A@ECL0005: A SSL connection has been established with host " " using encryption suite SSL_RSA_WITH_RC4_128_SHA. 4@73@02/09/ :21:50:965@Transport@A@---TN3270 : execute() Exit. 4@74@02/09/ :21:51:005@Transport@A@---TN3270 : execute() Entry. 4@75@02/09/ :21:51:005@Transport@A@-->TN3270 : Outbound Data Received: length = 3, TN3270 ::read_instream() 4@76@02/09/ :21:51:005@Transport@A@-->TN3270 : <. > 4@77@02/09/ :21:51:005@Transport@A@ High = FF2 4@78@02/09/ :21:51:005@Transport@A@ Low = FD8 4@79@02/09/ :21:51:005@Transport@A@Receive_data count is 3, TN3270 ::receive_data() 4@80@02/09/ :21:51:005@Transport@A@-->TN3270 : Negotiate CMD = DO OPT = TN3270-E 276 IBM WebSphere Host On-Demand: Version 5 Enhancements

293 : Response CMD = WILL OPT = TN3270-E 4@82@02/09/ :21:51:005@Transport@A@<--TN3270 : Inbound Data Sent: length = 3, TN3270 ::senddata() 4@83@02/09/ :21:51:005@Transport@A@<--TN3270 : <. > 4@84@02/09/ :21:51:005@Transport@A@ High = FF2 4@85@02/09/ :21:51:005@Transport@A@ Low = FB8 4@86@02/09/ :21:51:005@Transport@A@---TN3270 : execute() Exit. 4@87@02/09/ :21:51:025@Transport@A@---TN3270 : execute() Entry. 4@88@02/09/ :21:51:025@Transport@A@-->TN3270 : Outbound Data Received: length = 7, TN3270 ::read_instream() 4@89@02/09/ :21:51:025@Transport@A@-->TN3270 : <. 0> 4@90@02/09/ :21:51:025@Transport@A@ High = FF200FF 4@91@02/09/ :21:51:025@Transport@A@ Low = FA882F0 4@92@02/09/ :21:51:025@Transport@A@Receive_data count is 7, TN3270 ::receive_data() 4@93@02/09/ :21:51:025@Transport@A@<--TN3270 : Response IAC SB TN3270E DEVICE_TYPE REQUEST 4@94@02/09/ :21:51:025@Transport@A@<--TN3270 : Inbound Data Sent: length = 19, TN3270 ::senddata() 4@95@02/09/ :21:51:025@Transport@A@<--TN3270 : <....(. 0> 4@96@02/09/ :21:51:025@Transport@A@ High = FF FF 4@97@02/09/ :21:51:025@Transport@A@ Low = FA82792DD3278D3D5F0 4@98@02/09/ :21:51:025@Transport@A@---TN3270 : execute() Exit. 4@99@02/09/ :21:51:045@Transport@A@---TN3270 : execute() Entry. 4@100@02/09/ :21:51:045@Transport@A@-->TN3270 : Outbound Data Received: length = 28, TN3270 ::read_instream() 4@101@02/09/ :21:51:045@Transport@A@-->TN3270 : <...(...+ 0> 4@102@02/09/ :21:51:045@Transport@A@ High = FF FF 4@103@02/09/ :21:51:045@Transport@A@ Low = FA82492DD3278D3D E01F0 4@104@02/09/ :21:51:045@Transport@A@Receive_data count is 28, TN3270 ::receive_data() 4@105@02/09/ :21:51:055@Transport@A@<--TN3270 : Response IAC SB TN3270E FUNCTIONS REQUEST 4@106@02/09/ :21:51:055@Transport@A@<--TN3270 : Inbound Data Sent: length = 10, TN3270 ::senddata() 4@107@02/09/ :21:51:055@Transport@A@<--TN3270 : <.. 0> 4@108@02/09/ :21:51:055@Transport@A@ High = FF200000FF 4@109@02/09/ :21:51:055@Transport@A@ Low = FA837024F0 4@110@02/09/ :21:51:055@Transport@A@---TN3270 : execute() Exit. 4@111@02/09/ :21:51:085@Transport@A@---TN3270 : execute() Entry. 4@112@02/09/ :21:51:085@Transport@A@-->TN3270 : Outbound Data Received: length = 10, TN3270 ::read_instream() 4@113@02/09/ :21:51:085@Transport@A@-->TN3270 : <. 0> 4@114@02/09/ :21:51:085@Transport@A@ High = FF200000FF Appendix C. Problem determination 277

294 Low = FA834024F0 4@116@02/09/ :21:51:085@Transport@A@Receive_data count is 10, TN3270 ::receive_data() 4@117@02/09/ :21:51:085@Transport@A@<--TN3270 : Response IAC SB TN3270E FUNCTION IS 4@118@02/09/ :21:51:115@Transport@A@---TN3270E: execute() Exit. 4@119@02/09/ :21:51:206@Transport@A@---TN3270E: execute() Entry. 4@120@02/09/ :21:51:206@Transport@A@-->TN3270E: Outbound Data Received: length = 42, TN3270E::read_instream() 4@121@02/09/ :21:51:206@Transport@A@-->TN3270E: < j.. dg8.. & = TELNET.> 4@122@02/09/ :21:51:206@Transport@A@ High = F ECDDCE0FE 4@123@02/09/ :21:51:206@Transport@A@ Low = E FF 4@124@02/09/ :21:51:206@Transport@A@Receive_data count is 42, TN3270E::receive_data() 4@125@02/09/ :21:51:206@Transport@A@---TN3270: Using Bind Screen size type x7e. 4@126@02/09/ :21:51:206@Transport@A@--->TN3270E: EOR command detected at position 41 4@127@02/09/ :21:51:216@Transport@A@-->TN3270E: EOR keyboard unlock performed. 4@128@02/09/ :21:51:216@Transport@A@---TN3270E: execute() Exit. 4@129@02/09/ :21:51:226@Transport@A@---TN3270E: execute() Entry. 4@130@02/09/ :21:51:226@Transport@A@-->TN3270E: Outbound Data Received: length = 661, TN3270E::read_instream() 4@131@02/09/ :21:51:226@Transport@A@-->TN3270E: < B. MSG10 OE/390 (03) A&Raleigh - International Technical Support Organi> 4@132@02/09/ :21:51:226@Transport@A@ High = C17144DECFF4DC6FFF44FF51C5D C9A8998A899894E EA9999A4D @133@02/09/ :21:51:226@Transport@A@ Low = D D03D @134@02/09/ :21:51:226@Transport@A@-->TN3270E: <zation - ITSO - ITSO1 B1System OE/390 (03) C2.IEnter:.& > 4@135@02/09/ :21:51:226@Transport@A@ High = A8A899464CEED464CEEDF1CFEAAA894DC6FFF44FF51CF414CC9A @136@02/09/ :21:51:226@Transport@A@ Low = D03D13201A955359A1A0D @137@02/09/ :21:51:226@Transport@A@-->TN3270E: <.R <ZTSO03 userid - TSO on MVS03 (9TSO28 userid - TSO > 4@138@02/09/ :21:51:226@Transport@A@ High = D414EEEDFF4AA89CC464EED4994DEEFF14FEEDFF4AA89CC464EED4 4@139@02/09/ :21:51:226@Transport@A@ Low = D01B901C D IBM WebSphere Host On-Demand: Version 5 Enhancements

295 <on MVS28 ITSO39 userid - TSO on MVS39 &RCICS - TCP/IP CICS on MVS18 JZN> 4@141@02/09/ :21:51:226@Transport@A@ High = 994DEEFF14CEEDFF4AA89CC464EED4994DEEFF15DCCCE ECD6CD4CCCE4994DEEFF1DED 4@142@02/09/ :21:51:226@Transport@A@ Low = F @143@02/09/ :21:51:226@Transport@A@-->TN3270E: <VAS20 - NetView Access on MVS20 K9IMS - TCP/IP IMS on MVS18 MISYS> 4@144@02/09/ :21:51:226@Transport@A@ High = ECEFF D8AE88A4C888AA4994DEEFF1DFCDE ECD6CD4CDE4994DEEFF1DCEEE 4@145@02/09/ :21:51:226@Transport@A@ Low = @146@02/09/ :21:51:226@Transport@A@-->TN3270E: <6 - RALYDPD6 NR O- Your IP Address: PLYour Telnet Po> 4@147@02/09/ :21:51:226@Transport@A@ High = F DCDECDCF1DD41D6E9A94CD4C8898AA744444F4FF4FFF4FFF4441DDE9A94E8998A4D9 4@148@02/09/ :21:51:226@Transport@A@ Low = A000009B24B105B @149@02/09/ :21:51:236@Transport@A@-->TN3270E: <rt: P Q;-----L> 4@150@02/09/ :21:51:236@Transport@A@ High = 9A744FFFFF DF D566666D 4@151@02/09/ :21:51:236@Transport@A@ Low = 93A E @152@02/09/ :21:51:236@Transport@A@-->TN3270E: <ast Command: R LU: RA03TN01 Sense Code: R3Date: 02/0> 4@153@02/09/ :21:51:236@Transport@A@ High = 8AA4C D4DE74DCFFEDFF E89A84C DFC8A874FF6F 4@154@02/09/ :21:51:236@Transport@A@ Low = A A A A @155@02/09/ :21:51:236@Transport@A@-->TN3270E: <9/01 Time: 17:20:59.> 4@156@02/09/ :21:51:236@Transport@A@ High = F6FF4E89874FF7FF7FFFE 4@157@02/09/ :21:51:236@Transport@A@ Low = A017A20A59FF 4@158@02/09/ :21:51:236@Transport@A@Receive_data count is 661, TN3270E::receive_data() 4@159@02/09/ :21:51:246@Transport@A@--->TN3270E: EOR command detected at position 660 4@160@02/09/ :21:51:306@Transport@A@---TN3270E: execute() Exit. 4@161@02/09/ :21:53:369@Transport@A@---TN3270E: execute() Entry. 4@162@02/09/ :21:54:070@Transport@A@---TN3270E: execute() Exit- InterruptedIOException. 4@163@02/09/ :21:56:073@Transport@A@---TN3270E: execute() Entry. 4@164@02/09/ :21:56:283@Transport@A@---TN3270E: execute() Exit- InterruptedIOException. 4@165@02/09/ :21:58:286@Transport@A@---TN3270E: execute() Entry. Appendix C. Problem determination 279

296 C.3.2 Unsuccessful negotiation : open() processing started. 4@298@08/21/ :41:56:240@Transport@B@---TN3270 : DNS randomize host name = NcOd149, TN3270 ::tel_init() 4@299@08/21/ :41:56:240@Transport@B@---TN3270 : initialize() non-ssl socket created. 4@300@08/21/ :41:56:460@Transport@B@---TN3270 : Connected to ncod149, port = 23, TN3270 ::tel_init() 4@301@08/21/ :41:56:620@Transport@B@-->TN3270 : Outbound Data Received: length = 3, TN3270 ::read_instream() 4@302@08/21/ :41:56:620@Transport@B@-->TN3270 : <. > 4@303@08/21/ :41:56:620@Transport@B@ High = FF1 4@304@08/21/ :41:56:620@Transport@B@ Low = FD8 4@305@08/21/ :41:56:620@Transport@B@Receive_data count is 3, TN3270 ::receive_data() 4@306@08/21/ :41:56:620@Transport@B@<--TN3270 : Response CMD = WILL OPT = STARTTLS 4@307@08/21/ :41:56:620@Transport@B@<--TN3270 : Inbound Data Sent: length = 3, TN3270 ::senddata() 4@308@08/21/ :41:56:620@Transport@B@<--TN3270 : <. > 4@309@08/21/ :41:56:620@Transport@B@ High = FF2 4@310@08/21/ :41:56:620@Transport@B@ Low = FBE 4@311@08/21/ :41:56:680@Transport@B@-->TN3270 : Negotiate CMD = DO OPT = TERMINAL TYPE 4@312@08/21/ :41:56:680@Transport@B@<--TN3270 : Response CMD = WILL OPT = TERMINAL TYPE 4@313@08/21/ :41:56:680@Transport@B@<--TN3270 : Inbound Data Sent: length = 3, TN3270 ::senddata() 4@314@08/21/ :41:56:680@Transport@B@<--TN3270 : <. > 4@315@08/21/ :41:56:680@Transport@B@ High = FF1 4@316@08/21/ :41:56:680@Transport@B@ Low = FB8 4@317@08/21/ :41:56:680@Transport@B@---TN3270 : execute() Exit. 4@318@08/21/ :41:56:900@Transport@B@-->TN3270 : Outbound Data Received: length = 6, TN3270 ::read_instream() 4@319@08/21/ :41:56:900@Transport@B@-->TN3270 : <. 0> 4@320@08/21/ :41:56:900@Transport@B@ High = FF10FF 4@321@08/21/ :41:56:900@Transport@B@ Low = FA81F0 4@322@08/21/ :41:56:900@Transport@B@Receive_data count is 6, TN3270 ::receive_data() 4@323@08/21/ :41:56:900@Transport@B@<--TN3270 : Response IAC SB TERMINAL_TYPE IS IBM E IAC SE 4@324@08/21/ :41:56:900@Transport@B@<--TN3270 : Inbound Data Sent: length = 18, TN3270 ::senddata() 4@325@08/21/ :41:56:900@Transport@B@<--TN3270 : <...(. 0> 280 IBM WebSphere Host On-Demand: Version 5 Enhancements

297 High = FF FF 4@327@08/21/ :41:56:900@Transport@B@ Low = FA8092DD3278D2D5F0 4@328@08/21/ :41:56:900@Transport@B@---TN3270 : execute() Exit. 4@329@08/21/ :41:57:010@Transport@B@-->TN3270 : Outbound Data Received: length = 3, TN3270 ::read_instream() 4@330@08/21/ :41:57:010@Transport@B@-->TN3270 : <. > 4@331@08/21/ :41:57:010@Transport@B@ High = FF2 4@332@08/21/ :41:57:010@Transport@B@ Low = FD8 4@333@08/21/ :41:57:010@Transport@B@Receive_data count is 3, TN3270 ::receive_data() 4@334@08/21/ :41:57:010@Transport@B@-->TN3270 : Negotiate CMD = DO OPT = TN3270-E 4@335@08/21/ :41:57:010@Transport@B@<--TN3270 : Response CMD = WILL OPT = TN3270-E 4@336@08/21/ :41:57:010@Transport@B@<--TN3270 : Inbound Data Sent: length = 3, TN3270 ::senddata() 4@337@08/21/ :41:57:010@Transport@B@<--TN3270 : <. > 4@338@08/21/ :41:57:010@Transport@B@ High = FF2 4@339@08/21/ :41:57:010@Transport@B@ Low = FB8 4@340@08/21/ :41:57:010@Transport@B@---TN3270 : execute() Exit. 4@341@08/21/ :41:57:060@Transport@B@-->TN3270 : Outbound Data Received: length = 7, TN3270 ::read_instream() 4@342@08/21/ :41:57:060@Transport@B@-->TN3270 : <. 0> 4@343@08/21/ :41:57:060@Transport@B@ High = FF200FF 4@344@08/21/ :41:57:060@Transport@B@ Low = FA882F0 4@345@08/21/ :41:57:060@Transport@B@Receive_data count is 7, TN3270 ::receive_data() 4@346@08/21/ :41:57:060@Transport@B@<--TN3270 : Response IAC SB TN3270E DEVICE_TYPE REQUEST 4@347@08/21/ :41:57:060@Transport@B@<--TN3270 : Inbound Data Sent: length = 19, TN3270 ::senddata() 4@348@08/21/ :41:57:060@Transport@B@<--TN3270 : <....(. 0> 4@349@08/21/ :41:57:060@Transport@B@ High = FF FF 4@350@08/21/ :41:57:060@Transport@B@ Low = FA82792DD3278D2D5F0 4@351@08/21/ :41:57:060@Transport@B@---TN3270 : execute() Exit. 4@352@08/21/ :41:57:060@Transport@B@-->TN3270 : Outbound Data Received: length = 26, TN3270 ::read_instream() 4@353@08/21/ :41:57:060@Transport@B@-->TN3270 : <...(. +. 0> 4@354@08/21/ :41:57:060@Transport@B@ High = FF FF 4@355@08/21/ :41:57:060@Transport@B@ Low = FA82492DD3278D2D51EF6035F0 4@356@08/21/ :41:57:060@Transport@B@Receive_data count is 26, TN3270 ::receive_data() 4@357@08/21/ :41:57:060@Transport@B@<--TN3270 : Response IAC SB TN3270E FUNCTIONS REQUEST Appendix C. Problem determination 281

298 : Inbound Data Sent: length = 10, TN3270 ::senddata() 4@359@08/21/ :41:57:060@Transport@B@<--TN3270 : <.. 0> 4@360@08/21/ :41:57:060@Transport@B@ High = FF200000FF 4@361@08/21/ :41:57:060@Transport@B@ Low = FA837024F0 4@362@08/21/ :41:57:120@Transport@B@---TN3270 : execute() Exit. 4@363@08/21/ :41:57:170@Transport@B@-->TN3270 : Outbound Data Received: length = 10, TN3270 ::read_instream() 4@364@08/21/ :41:57:170@Transport@B@-->TN3270 : <. 0> 4@365@08/21/ :41:57:170@Transport@B@ High = FF200000FF 4@366@08/21/ :41:57:170@Transport@B@ Low = FA834024F0 4@367@08/21/ :41:57:170@Transport@B@Receive_data count is 10, TN3270 ::receive_data() 4@368@08/21/ :41:57:170@Transport@B@<--TN3270 : Response IAC SB TN3270E FUNCTION IS 6@4@08/21/ :41:57:170@Host Access Class Library@null@err@ECL0037: Server ncod149:23 does not support Telnet-negotiated security. 4@369@08/21/ :41:57:170@Transport@B@---TN3270 : syncterminate() Entry. 4@370@08/21/ :41:57:170@Transport@B@---TN3270 : Begin session termination., TN3270 ::tel_disc() 4@371@08/21/ :41:57:170@Transport@B@---TN3270 : execute() Exit. C.4 Additional AS/400-related Web pages The following are useful AS/400 Web sites: C.5 IBM Screen Customizer troubleshooting Below are some common Screen Customizer troubleshooting procedures. C.5.1 Light-pen mode problems If the user says that light-pen mode is not working, then you need to get a Level 3 HACL transport trace. Many times, IBM Screen Customizer will render fields that fit the light-pen description, but were never shown this way before. 282 IBM WebSphere Host On-Demand: Version 5 Enhancements

299 C.5.2 Template problems If the template doesn t appear after creating sc_global.tpl, the user probably did not restart the Administrative session after creating the global template. If scroll bars show up around the host area inside the template, then the host area in the template is probably too small to contain the screen. To resolve the problem edit the template in the Studio and enlarge the host area, either by using snap-to or by dragging one of the corners. If the wrong or no template appears, then the probable cause is likely one of the following: a. If in the Administrator, the administrator may be configured to override the template, then test and view with a different template. b. The map may be configured to ignore part or all of the template. In the studio select Screen -> Template options -> Show with global template. c. The template name may be incorrect or not in the custom/map folder, and IBM Screen Customizer is using the next template in the hierarchy. Check the name and location and fix it. d. The HTML may be overriding the sc_global.tpl template. Edit the HTML and remove the template tag. If the keys remapped in template are not effective at runtime, then the keys have been overridden by a map. Unmap the keys in the map to make the template settings take effect, or accept the overrides. Appendix C. Problem determination 283

300 284 IBM WebSphere Host On-Demand: Version 5 Enhancements

301 Appendix D. Special notices This publication is intended to help customers, business partners, and IBM personnel to install, administer, and use Host On-Demand Version 5 and IBM Screen Customizer. The information in this publication is not intended as the specification of any programming interfaces that are provided by IBM WebSphere Host On-Demand or IBM Screen Customizer. See the PUBLICATIONS section of the IBM Programming Announcement for IBM WebSphere Host On-Demand and IBM Screen Customizer for more information about what publications are considered to be product documentation. References in this publication to IBM products, programs or services do not imply that IBM intends to make these available in all countries in which IBM operates. Any reference to an IBM product, program, or service is not intended to state or imply that only IBM's product, program, or service may be used. Any functionally equivalent program that does not infringe any of IBM's intellectual property rights may be used instead of the IBM product, program or service. Information in this book was developed in conjunction with use of the equipment specified, and is limited in application to those specific hardware and software products and levels. IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to the IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact IBM Corporation, Dept. 600A, Mail Drop 1329, Somers, NY USA. Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The information contained in this document has not been submitted to any formal IBM test and is distributed AS IS. The use of this information or the implementation of any of these techniques is a customer responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. While each item may have been Copyright IBM Corp

302 reviewed by IBM for accuracy in a specific situation, there is no guarantee that the same or similar results will be obtained elsewhere. Customers attempting to adapt these techniques to their own environments do so at their own risk. Any pointers in this publication to external Web sites are provided for convenience only and do not in any manner serve as an endorsement of these Web sites. The following terms are trademarks of the International Business Machines Corporation in the United States and/or other countries: e (logo) IBM WebSphere AIX AS/400 CICS DB2 Netfinity Network Station Operating System/2 OS/2 OS/390 OS/400 RACF RS/6000 S/390 SecureWay Redbooks Redbooks Logo SP SP1 System/390 VTAM WebSphere Wizard XT 400 Lotus Approach Lotus Notes Domino Notes The following terms are trademarks of other companies: Tivoli, Manage. Anything. Anywhere.,The Power To Manage., Anything. Anywhere.,TME, NetView, Cross-Site, Tivoli Ready, Tivoli Certified, Planet Tivoli, and Tivoli Enterprise are trademarks or registered trademarks of Tivoli Systems Inc., an IBM company, in the United States, other countries, or both. In Denmark, Tivoli is a trademark licensed from Kjøbenhavns Sommer - Tivoli A/S. C-bus is a trademark of Corollary, Inc. in the United States and/or other countries. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and/or other countries. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of 286 IBM WebSphere Host On-Demand: Version 5 Enhancements

303 Microsoft Corporation in the United States and/or other countries. PC Direct is a trademark of Ziff Communications Company in the United States and/or other countries and is used by IBM Corporation under license. ActionMedia, LANDesk, MMX, Pentium and ProShare are trademarks of Intel Corporation in the United States and/or other countries. UNIX is a registered trademark in the United States and other countries licensed exclusively through The Open Group. SET, SET Secure Electronic Transaction, and the SET Logo are trademarks owned by SET Secure Electronic Transaction LLC. Other company, product, and service names may be trademarks or service marks of others. Appendix D. Special notices 287

304 288 IBM WebSphere Host On-Demand: Version 5 Enhancements

305 Appendix E. Related publications The publications listed in this section are considered particularly suitable for a more detailed discussion of the topics covered in this redbook. E.1 IBM Redbooks For information on ordering these publications see How to get IBM Redbooks on page 293. IBM SecureWay Host On-Demand 4.0: Enterprise Communications in the Era of Network Computing, SG IBM Host Integration: A Practical Approach to Performance Planning, SG Building Integration Objects with IBM SecureWay Host Publisher Version 2.1, SG Safe Surfing: How to Build a Secure WWW Connection, SG Protect and Survive Using the IBM Firewall 3.1 for AIX, SG A Comprehensive Guide to Virtual Private Networks, Volume I: IBM Firewall, Server and Client Solutions, SG The Domino Defense: Security in Lotus Notes 4.5 and the Internet, SG Enterprise-Wide Security Architecture and Solutions Presentation Guide, SG Understanding LDAP, SG LDAP Implementation Cookbook, SG OS/390 Security Server 1999 Updates: Installation Guide, SG E.2 IBM Redbooks collections Redbooks are also available on the following CD-ROMs. Click the CD-ROMs button at ibm.com/redbooks for information about all the CD-ROMs offered, updates and formats. CD-ROM Title Collection Kit Number IBM System/390 Redbooks Collection SK2T-2177 IBM Networking Redbooks Collection SK2T-6022 IBM Transaction Processing and Data Management Redbooks Collection SK2T-8038 IBM Lotus Redbooks Collection SK2T-8039 Copyright IBM Corp

306 CD-ROM Title Tivoli Redbooks Collection IBM AS/400 Redbooks Collection IBM Netfinity Hardware and Software Redbooks Collection IBM RS/6000 Redbooks Collection IBM Application Development Redbooks Collection IBM Enterprise Storage and Systems Management Solutions Collection Kit Number SK2T-8044 SK2T-2849 SK2T-8046 SK2T-8043 SK2T-8037 SK3T-3694 E.3 Other resources This publication is also relevant as a further information source: OS/390 Security Server (RACF) Macros and Interfaces, SC E.4 Referenced Web sites These Web sites are also relevant as further information sources: ftp://ftp.software.ibm.com/software/network/library/whitepapers/elf.pdf Setting up and Using the IBM Express Logon Feature IBM Screen Customizer Library IBM Host On-Demand home page IBM Host On-Demand Downloads IBM Software Support Bulletin subscription IBM Host On-Demand software download IBM Host On-Demand support IBM Java home ftp://ftp.hursley.ibm.com/pub/java IBM Java download site IBM AS/400 Online documents 290 IBM WebSphere Host On-Demand: Version 5 Enhancements

307 AS/400 Technical Support Troubleshooting AS/400 SSL-enabled Telnet Server AS/400 TCP/IP reference information AS/400 Technical Support home page AS/400 Toolbox for Java and JTOpen Novell Developers Host On-Demand online library IETF Internet-Draft TLS-based Telnet Security IETF Standards Track RFC 2246 "The TLS Protocol 1.0" Appendix E. Related publications 291

308 292 IBM WebSphere Host On-Demand: Version 5 Enhancements

309 How to get IBM Redbooks This section explains how both customers and IBM employees can find out about IBM Redbooks, redpieces, and CD-ROMs. A form for ordering books and CD-ROMs by fax or is also provided. Redbooks Web Site ibm.com/redbooks Search for, view, download, or order hardcopy/cd-rom Redbooks from the Redbooks Web site. Also read redpieces and download additional materials (code samples or diskette/cd-rom images) from this Redbooks site. Redpieces are Redbooks in progress; not all Redbooks become redpieces and sometimes just a few chapters will be published this way. The intent is to get the information out much quicker than the formal publishing process allows. Orders Send orders by including information from the IBM Redbooks fax order form to: In United States or Canada Outside North America Telephone Orders United States (toll free) Canada (toll free) Outside North America Fax Orders United States (toll free) Canada Outside North America address [email protected] Contact information is in the How to Order section at this site: IBM-4YOU Country coordinator phone number is in the How to Order section at this site: Fax phone number is in the How to Order section at this site: This information was current at the time of publication, but is continually subject to change. The latest information may be found at the Redbooks Web site. IBM Intranet for Employees IBM employees may register for information on workshops, residencies, and Redbooks by accessing the IBM Intranet Web site at and clicking the ITSO Mailing List button. Look in the Materials repository for workshops, presentations, papers, and Web pages developed and written by the ITSO technical professionals; click the Additional Materials button. Employees may access MyNews at for redbook, residency, and workshop announcements. Copyright IBM Corp

310 IBM Redbooks fax order form Please send me the following: Title Order Number Quantity First name Last name Company Address City Postal code Country Telephone number Telefax number VAT number Invoice to customer number Credit card number Credit card expiration date Card issued to Signature We accept American Express, Diners, Eurocard, Master Card, and Visa. Payment by credit card not available in all countries. Signature mandatory for credit card payment. 294 IBM WebSphere Host On-Demand: Version 5 Enhancements

311 Abbreviations and acronyms AIX APAR API AWT CAB CCI CICS DASD Advanced Interactive Executive Authorized Program Analysis Report Application Programming Interface Abstract Window Toolkit API Cabinet Custom Component Interface Customer Information Control System Direct Access Storage Device ITSO JAR JDBC JDK JNI JVM JRE LU LUM NMI MVS International Technical Support Organization Java Archive Java Database Control Java Development Kit Java Native Interface Java Virtual Machine Java Runtime Environment logical unit License Usage Management Native Method Interface Multiple Virtual System DCAS DMZ ELF ENPTUI GMT GUI IBM HACL HTML HTTP HTTPS Digital Certificate Access Server demilitarized zone Enhanced Logon Facility Enhanced non-programmable terminal user interface Greenwich Mean Time Graphical User Interface International Business Machines Corporation Host Access Class Library Hypertext Markup Language Hypertext Transfer Protocol Hypertext Transfer Protocol Secure NFS OHIO OIA OS/2 PDT PKI PTKTDATA RACF SCCI SLP SMB SNA SSL Network File System Open Host Integration operator information area Operating System/2 Printer Definition Table public key Infrastructure PassTicket Data Class Profile Resource Access Control Facility Screen Customizer Component Interface Service Location Protocol System Message Block Systems Network Architecture Secure Sockets Layer IT information technology Copyright IBM Corp

312 TLS TSO URL USS VT VTAM WAN WAS Transport Layer Security Time Sharing Option Universal Resource Locator UNIX System Services Virtual Terminal Virtual Telecommunications Access Method Wide Area Network WebSphere Application Server 296 IBM WebSphere Host On-Demand: Version 5 Enhancements

313 Index Symbols $PSS.WD$ 172, 178, 179 $USR.ID$ 172, 177, 179 Numerics 3270 and 5250 host print, See host print 3270 host graphics 3 A ActiveX 3 AIX 6, 15, 16, 17, 33, 106 anonymous user 243, 253 answer back message 9 applet window size 114 application ID 171, 172, 175, 176 application name 173 AS/400 15, 17, 242 AS/400 file transfer 4 AS/400 proxy server 6 Automatic installation AIX 4 B bell command 9 blink attribute 4, 7 bookmark 117, 131, 133 default text 117 browsers supported 20 C cached client 4, 5, 49, 52, 107, 108, 112, 118, 119, 120, 121, 122, 123, 128, 131, 136, 241, 245 componentization 49 initial installation 51 size 49 upgrade 121 Caldera 16 cfgx.cf 136, 137 client authentication 5, 169, 171, 174, 180 client certificate 167, 169, 171, 174 code page 8 color remap 2, 4, 7 color settings 126 Communications Server AIX 180 OS/2 180 OS/ , 172 Windows NT and Windows , 183 componentization 49, 241 config.properties 159 ConfigServer 162, 164 ConfigServerPort 164 ConfigServerURL 159 configuration files 124, 134 configuration port 128 configuration server 105, 107, 108, 109, 110, 112, 116, 118, 119, 123, 124, 128, 129, 132, 133, 136 configuration servlet 4, 7, 109, 149, 152, 153, 154, 155, 157 HTTPS 151, 160, 161, 163 implementation scenarios 165 load balancing 165 native authentication 166 installation 32 problem determination 166 servlet name 154 copy, cut and paste 2 copying an existing session 125 create a new session 125 D Database On-Demand 2, 6 Database On-Demand proxy 4 DCAS 169, 170, 172, 180, 181, 183 DCAS_ID 182 DCAS_ID_TYPE 182 debug cached client installation 120 default GUI 9 default servlet engine 150, 162, 163, 164 define host sessions 124 deployment strategy 237, 240, 253 user community 238 Extranet users 238 Internet users 238 Intranet users 238 Deployment Wizard 4, 5, 31, 105, 168, 170, 239, 240, 243, 244, 245, 250, 251, 253 files created 131 tips and hints 136 DES 173 dial-in 245, 253 Copyright IBM Corp

314 digital certificate 1, 169, 171 Digital Certificate Access Server, See DCAS disable functions 4, 5 display sessions as a grid of buttons 114 display sessions as client icons 114 DMZ 238, 242 download client 107, 128, 245 downloaded on demand 115 E EBCDIC 137 ELF, See express logon enabled and disabled connection functions 127 ENPTUI 4, 8 express logon 4, 5, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 252 macro 167, 168, 171, 172, 173, 174, 175, 176, 177, 178, 179 requirements Communications Server 169, 170 support 183 TN3270 server 167, 168, 169, 171, 172, 174, 178, 180, 182, 183 tutorial and examples 180 Express Logon Feature, See express logon F file transfer 2, 137 FileSelectorPanel.version 137 firewall 3, 7, 109, 149, 165 FTP 137, 138 G Gnome 17 H HACL 3, 8, 237 handling upgrades 121 Hindi 8 history window 9 HLLAPI - HACL bridge 3, 4 HODData subdirectory 134 Horizontal Tab 9 Host Access Beans 3, 52 Host Access Class Library 52 Host Access Class Library, See HACL host print 2, 6 HP-UX 16 HTTP(S) 7 HTTPS 242 hybrid user 244 I IBM CICS Java Gateway 1 IBM Domino Go Web Server 32, 34 IBM Network Station 243 IBM Personal Communications Manager 8, 9, 253 IBM Screen Customizer 251, 252 IBM WebSphere Application Server 32, 34 import/export 3 IMS 170 inquiry message 9 installation 31 AIX 33 automated 5, 33 IBM Domino Go Web Server 34 IBM WebSphere Application Server 34 Lotus Domino Go Web Server 34 Service Manager port 34 silent installation 34 configuration servlet 32 Windows 31 automated 31 Deployment Wizard 31 InstallShield 31 Service Manager port 31 silent mode 31, 32 installation CD 105, 130 installation location 120 Internet Service Delivery 16 J JAR /CAB files 49, 51 Java 2 4, 8 Java Beans 8 Java Database Connectivity, See JDBC JDBC 2 K keyboard accessibility 8 keyboard remap 2, 4, 6, 52, IBM WebSphere Host On-Demand: Version 5 Enhancements

315 L LDAP 3, 165, 166, 241 license use management 8, 128 light-pen 9 Linux 4 locally installed client 3 logon options 110, 111 Lotus Domino Go Web Server 32, 34, 165 M macro 3, 126, 174 maintain case 137 maximum concurrent sessions 115 MODEL (5250) 6, 189, 190, 191, 194 multiple session icon 4, 7 MVS 137, 252, 253 N native authentication 4, 6, 241, 243, 253 Node Operations 183 non-cached client 112 non-registered user 241 Novell 15, 16, 17 O OHIO 3 Open Host Interface Objects, See OHIO OS/2 Warp 15, 16, 17 OS/390 6, 15, 16, 17, 106, 137, 165, 166, 167, 169, 175, 180, 238, 240, 242, 243, 253 OS/400 16, 242 P packaging 15 page title and summary 116 params.txt 131, 134, 137 PassTicket 167, 169, 170, 172, 173, 178 PDT (3270) 6, 189, 190, 191, 194 percentage upgrade option 122 permissions 137 Personal Communications Manager, See IBM Personal Communications Manager Platform support 16 AIX 16 Caldera 16 HP-UX 16 Novell NetWare 16 OS/2 Warp 16 OS/ OS/ Sun Solaris 16 SuSE 16 TurboLinux 17 Unixware 17 Windows 16 Windows Terminal Server 17 policies 131 policy configuration 126 policy.obj 131 preload configuration 115 preloads.obj 132, 134 print screen 3 printer support 9 problem determination 113 progress indicator 120 PTKTDATA profile 169 R RACF 166, 167, 169, 170, 171, 172, 173, 174, 175, 176, 243, 252 random number 122 record macros 106 Red Hat 4 Redirector 174, 181 registered user 239, 240, 241, 243, 244 requirements AIX 17 AS/ Novell 17 OS/2 17 OS/ UNIX 17 Windows 17 reverse screen mode 9 RFC S Screen Customizer 9, 252 Secure Sockets Layer, See SSL Security 242 Service Location Protocol 3 Service Manager 128 Service Manager port 7 session 2-type 105 session menu 8 299

316 session security 3 session1.html 105, 244 session2.html 105 setupwin.exe 106 size and placement of session window 126 SNA Node Configuration program 183 snaadmin 181, 182 Software Support Bulletin 16 SSL 1, 3, 5, 6, 115, 169, 171, 172, 174, 180, 186, 242 status bar 9 Sun Solaris 16 SuSE 16 T Telnet redirection, See Redirector Telnet-negotiated security 4, 7, 185, 186, 253 IETF Internet draft 186 session negotiation 187 tips and hints 136 Tivoli NetView for OS/ TLS-based Telnet security, See Telnet-negotiated security TN3270 server 180 express logon 167, 168, 169, 171, 172, 174, 178, 180, 182, 183 TN3270E 1 TN toolkit 4, 15 TSO 169, 170 TurboLinux 17 VTAM 176, 177 W Web server 136 WebSphere Application Server 109 welcome window 108 Windows 15, 16, 17 Windows , 242 Windows NT 6, 241, 242, 243 Windows Terminal Server 17 winfo.txt 131, 135, 136 X X.509 certificate, See client certificate and digital certificate xsnaadmin 180, 181 Z zip file 130, 131, 136 U UNIX 15, 17, 137, 241, 242 Unixware 17 unzip 130 upgrade options 122 background 122 foreground 122 prompt user 122 USSMSG10 176, 177 V VPN 239 VT Do 9 VT print 194 VT52/100/ IBM WebSphere Host On-Demand: Version 5 Enhancements

317 IBM Redbooks review Your feedback is valued by the Redbook authors. In particular we are interested in situations where a Redbook "made the difference" in a task or problem you encountered. Using one of the following methods, please review the Redbook, addressing value, subject matter, structure, depth and quality as appropriate. Use the online Contact us review redbook form found at ibm.com/redbooks Fax this form to: USA International Access Code Send your comments in an Internet note to [email protected] Document Number Redbook Title SG IBM WebSphere Host On-Demand: Version 5 Enhancements Review What other subjects would you like to see IBM Redbooks address? Please rate your overall satisfaction: Please identify yourself as belonging to one of the following groups: Your address: The data you provide here may be used to provide you with information from IBM or our business partners about our products, services or activities. Questions about IBM s privacy policy? O Very Good O Good O Average O Poor O Customer O Business Partner O Solution Developer O IBM, Lotus or Tivoli Employee O None of the above O Please do not use the information collected here for future marketing or promotional contacts or other communications beyond the scope of this transaction. The following link explains how we protect your personal information. ibm.com/privacy/yourprivacy/ Copyright IBM Corp

318

319 IBM WebSphere Host On-Demand: Version 5 Enhancements (0.5 spine) <->0.875

320

321

322 IBM WebSphere Host On-Demand: Version 5 Enhancements Smaller and smarter clients, enhanced administration and security options Screen Customizer Version 2 with new programming API Programming Toolkit support for Java 1.2 The industry's premier Java-based emulator, IBM WebSphere Host On-Demand V5, has been enhanced to provide many new usability and manageability features. Enhancements in the client include improved client customization support for color and keyboard mappings as well as improved navigation. Host printing from Windows is made easier, while VT print passthrough is provided. AS/400 improvements abound, including support for ENPTUI, Toolbox Model 3 and AS/400 Proxy. The VT use is not forgotten. Included are VT100/200 enhancements, a VT history window and support for greater than 24 lines. Security is enhanced by providing an express logon capability using digital certificates. Major improvements in the manageability and deployment of IBM WebSphere Host On-Demand V5 are included in this release. Included is a new configurable smart client, a Deployment Wizard for creating and managing customized Web pages, the ability to disable unnecessary functions, native platform authentication, and the componentization of the clients that will allow for updating of individual functions instead of the entire product. INTERNATIONAL TECHNICAL SUPPORT ORGANIZATION BUILDING TECHNICAL INFORMATION BASED ON PRACTICAL EXPERIENCE IBM Redbooks are developed by the IBM International Technical Support Organization. Experts from IBM, Customers and Partners from around the world create timely technical information based on realistic scenarios. Specific recommendations are provided to help you implement IT solutions more effectively in your environment. For more information: ibm.com/redbooks SG ISBN