|
|
|
Client Certificates and Reflection for IBM
Technical Note 1757
Last Reviewed 06-Jul-2007
Applies To
Reflection for IBM 2008
Reflection Standard Suite 2008
Reflection for IBM 2007
Reflection for IBM version 11.0 through 14.x
Summary
Technical Note 1757
Last Reviewed 06-Jul-2007
Applies To
Reflection for IBM 2008
Reflection Standard Suite 2008
Reflection for IBM 2007
Reflection for IBM version 11.0 through 14.x
Summary
Client certificates are NOT required to establish SSL connections using Reflection for IBM; however, if client certificates are required in your network environment, this document describes how to create and import a client certificate for use connecting to a z/OS or OS/390 mainframe using SSL and Reflection for IBM.
Important: This technical note covers only creating and configuring the client certificate. For full details on configuring your systems to allow users to connect to a z/OS or OS/390 mainframe using SSL and Reflection for IBM, see Technical Note 1744.
Adding the Client Certificate to the Internet Explorer Store
Follow the steps below to add the client certificate (which contains encrypted versions of both the public and private key) to the Internet Explorer Store.
- Double-click client certificate file.
Note: The client certificate file may be a P7B, SST, P12, or PFX file.
- In the Certificate Import Wizard, click Next twice to access the Password dialog box.
- In the Password field, enter the client certificate's password (established when you created the certificate), select Enable strong private key protection, and then click Next.
Note: Enable strong private key protection is not required, but is recommended.
- Select Automatically select the certificate store based on the type of certificate, and Next.
- Click Next and then Finish.
- In the Importing a new private exchange key dialog box, click Set Security Level.
- Select the security level that meets your needs, and then click Next.
High security prompts for the key's password each time it is used. If you select this option, you will be prompted to create a password to protect this item. Fill in the required fields, and then click Next.
Medium does not prompt for the password, but does notify you when they key is used. Either option works with Reflection for IBM's SSL encryption.
- Click Finish, and you will be returned to the Importing a new private exchange key dialog box.
- Click OK.
- You will now see a pop-up box stating that "The import was successful." Click OK.
Modifying the TCP/IP Profile Dataset
The working TCP/IP profile dataset on the z/OS or OS/390 mainframe must be configured to support SSL connections and client certificates.
For details on configuring the profile dataset for SSL connections, see Technical Note 1744.
To add support for your client certificate, add one of the following parameters to TELNETPARMS section of your host's TCPIP.PROFILE.TCPIP dataset:
CLIENTAUTH SSLCERTor
CLIENTAUTH SAFCERTUse CLIENTAUTH SSLCERT if you want to check for a valid certificate.
Use CLIENTAUTH SAFCERT if you want to check for a valid certificate and require that the certificate is known by RACF.
The following is a generic example of a TCPIP.PROFILE.TCPIP dataset that has been configured for SSL support and a client certificate using the CLIENTAUTH SAFCERT parameter (use this example only as a guide when configuring your dataset).
TELNETPARMS KEYRING HFS /u/keydb/os390r10.kdb ; Key database ; reference for the TCP/IP SSL connection. SECUREPORT 23001 ; Secure port number CONNTYPE SECURE CLIENTAUTH SAFCERT SSLTIMEOUT 30 TIMEMARK 28800 WLMCLUSTERNAME TN3270E ENDWLMCLUSTERNAMEENDTELNETPARMSBEGINVTAMPORT 23 23001 ; Add entry for secure port. TELNETDEVICE 3278-3-E NSX32703 TELNETDEVICE 3279-3-E NSX32703 . . .ENDVTAM |
