Macro-based automation: an overview

Macro-based automation is for environments of varying host types that (1) are not using Kerberos for network authentication and (2) already have a network security application in place. As the name implies, it requires you to create a macro to perform logon automation.

Host On-Demand provides out-of-the-box support for the following three network security applications without requiring additional coding:

• IBM Tivoli Access Manager
• Netegrity Siteminder
• Microsoft Active Directory (Windows Domain)

If you have a different network security application, you will need to create your own plug-in to work in your environment. For more information, refer to Customizing Web Express Logon (opens new browser).

Macro-based automation relies on the following four key components and the interactions that take place among them:

• Credential Mapper Servlet (CMS)
• login macro
• Network Security plug-in
• Host Credential Mapper (HCM)

The CMS is supplied with Host On-Demand and must be deployed to a J2EE-compliant Web application server. At a high level, the CMS is responsible for the following tasks: (1) determine the client's identity (called a network ID (opens new browser)), (2) map the user's network ID to the host ID (opens new browser), and (3) return the host credentials to the client as an XML document.

The login macro automates the end-to-end process of the client sending the HTTPS request to the CMS, the CMS responding with the needed credentials, and the macro inserting the user's credentials in the proper fields to allow authenticated logon. You must record the login macro while you are in an active session. It initiates at the time the user attempts to access the host session, either automatically or manually (depending on your configuration).

Host On-Demand provides two Network Security plug-ins, one for Tivoli Access Manager and one for Netegrity Siteminder. The Network Security plug-in does not apply to Microsoft Active Directory since the Windows login ID is used as the network ID. The primary function of the Network Security plug-in is to acquire the user's network ID, which may be gleaned from the HTTP header of the incoming HTTP request object.

The HCM database is a back-end repository that maps users' network IDs to their host IDs. This repository can be a JDBC database such as IBM DB2. The Digital Certificate Access Server (DCAS) and Vault plug-ins provided with Web Express Logon are designed to work with such a database. Another possibility for a repository is an LDAP directory. However, using LDAP as your HCM database requires you to write your own plug-in. For more information, refer to Customizing Web Express Logon (opens new browser).

The following graphic shows you the key components discussed above and how they interact together to achieve logon automation. It illustrates the overall flow of macro-based automation beginning at the point when a user attempts to open a Host On-Demand session and initiates the login macro. If the macro is not configured to auto-start, the user will need to start it manually.

1. The end user clicks a link to the Host On-Demand desktop, which sends an HTTPS request through the network security application to the Web application server.
2. The Web application server returns the HTTPS request and the Host On-Demand desktop displays.
3. The user launches a host session.
4. The login macro executes.
5. The macro sends an HTTPS request to the CMS to obtain the host credentials.
6. The CMS requests the user's network ID from the Network Security plug-in.
7. The Network Security plug-in responds to the CMS with the user's network ID.
8. The CMS passes the network ID and application ID to the HCM plug-in.
9. Using the network and application ID, the HCM plug-in calls upon a database, such as IBM DB2, to map the user's host ID.
10. The HCM plug-in passes the user's host ID and application ID to the host and requests a password or passticket, depending on the type of HCM database. (In this example, The CMS sends the request to DCAS, a TCP/IP server application that interfaces with RACF, a Security Access Facility (SAF)-compliant server product.
11. The host (RACF) identifies the client, checks the client's authorization, and returns the passticket to the HCM database.
12. The HCM plug-in returns the host ID along with the password or passticket to the CMS.
13. The CMS returns the host credentials to the client as an XML document.

The login macro automatically inserts the user's credentials in the logon screen fields without user intervention. Now the user is fully authenticated and can proceed with the session.

Click Next for an overview of connection-based automation.