Connecting to z/OS Using SSL/TLS and Reflection Desktop

  • 7021499
  • 06-Jul-2007
  • 03-Jul-2018

Environment

Reflection Desktop (including Pro, or for IBM) 16.0 and higher
Reflection 2014
Reflection for IBM 2014
Reflection for IBM 2011
Reflection Standard Suite 2011

Situation

This technical note describes how to set up Reflection Desktop 16, Reflection 2014, Reflection for IBM 2014, or Reflection for IBM 2011 to connect over SSL-enabled Telnet to z/OS using a self-signed certificate.

Resolution

Considerations Before You Begin

Security for Reflection depends upon the security of the operating system, host, and network environment. We strongly recommend that you evaluate and implement all relevant security service packs, updates, and patches recommended by your operating system, host, and network manufacturers.

The recommendations in this note are general guidelines and should be evaluated in the context of your own computing needs and environment. These general steps can also be used to configure Reflection to utilize a registered digital signature and key pair (from a certifying authority); however, it is recommended that you configure and test your SSL environment using a self-signed certificate before implementing a production certificate from a certificate authority

The Process

Setting up Reflection Desktop 16, Reflection 2014, Reflection for IBM 2014, or Reflection for IBM 2011 to connect to z/OS over SSL involves these steps:

  1. Configure the Mainframe for SSL
  2. Verify that the Mainframe is Configured to Support SSL
  3. Create a Self-Signed Certificate for the Server
  4. Transfer or Extract the Certificate
  5. Optional: Create a Client Certificate
  6. Make a Connection

Note the following:

  • Once you have fully tested the SSL/TLS support, you can repeat steps 4 and 5 using a Certificate Authority (CA) signed certificate.
  • Reflection's SSL/TLS support requires that Microsoft Internet Explorer be installed on the client machine. It need not be the primary browser, but Internet Explorer must be installed and configured to be able to manage and use the certificate.

Configure the Mainframe for SSL

The working TCP/IP profile dataset on z/OS must be configured to support SSL connections. This process varies depending on the operating system and version. For detailed setup instructions, refer to IBM publication SC31-8776, "z/OS IBM Communications Server: IP Configuration Reference" for the version of z/OS you are using at https://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss

During the configuration process, you must define a secure port and key database reference for the TCP/IP SSL connection, and add an entry to the VTAM parameters.

The following is a generic example of a PROFILE.TCPIP dataset. (Use this example only as a guide when configuring your dataset.)

TELNETPARMS
  KEYRING SAF TN3270RING          ; RACF keyring name 
  SECUREPORT 23001              ; Secure port number
  CONNTYPE SECURE
  SSLTIMEOUT 30
  TIMEMARK 28800
  WLMCLUSTERNAME TN3270E ENDWLMCLUSTERNAME
ENDTELNETPARMS
BEGINVTAM
PORT 23 23001                   ; Add entry for secure port.
  TELNETDEVICE 3278-3-E NSX32703 
  TELNETDEVICE 3279-3-E NSX32703 
  .
  .
  .
ENDVTAM

Verify that the Mainframe is Configured to Support SSL

To activate the updates to the TCP/IP profile dataset, recycle the z/OS TCP/IP stack. Once you have done this, you will be able to see that the port you have configured for the secure connections is listening.

Execute the Display Telnet PROFILE command to verify that the port is up and attached to the proper key database.

Sample display:

D TCPIP,TN3270,T,PROF,PROF=SECURE
EZZ6060I TELNET PROFILE DISPLAY 145
PERSIS FUNCTION DIA SECURITY TIMERS MISC
(LMTGCAK)(OATSKTQSWHRT)(DRF)(PCKLECXN2)(IPKPSTS)(SMLT)
------- ------------ --- --------- ------- ----
******* **TSBTQ*W*RT EC* SSS*D**** IP**STS SMD*
----- PORT: 23001 ACTIVE PROF: CURR CONNS: 0
------------------------------------------------------------
FORMAT SHORT
TCPIPJOBNAME TCPIP
TNSACONFIG DISABLED
KEYRING SAF TN3270RING

Create a Self-Signed Certificate for the Server

Security certificates (also known as server certificates, site certificates, digital certificates, or SSL certificates) are used as part of the authentication process. Certificates are either self-signed or signed by a Certificate Authority (CA).

There are numerous ways to create a self-signed server certificate, such as using the RACDCERT RACF commands, or the Gskkyman utility (which runs under UNIX System Services). Refer to IBM’s documentation for information on using these commands or utilities (https://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss)

Note the following:

  • While creating the certificate, enter the fully-qualified host name in the Common Name field of the certificate.
  • If you plan to implement client authentication, you must also create a client certificate.
  • The administrator must maintain physical security of the management server and proxy server. That is, no one other than the administrator should be able to physically access the servers, and no unauthorized individuals should be able to access the key store folders on the server. The security of the servers is important to prevent compromise of the certificates.

Once you have created the self-signed server certificate, save it to a file, transfer the file to the end user's computer, and import the certificate into Internet Explorer's Certificate Store.

Transfer or Extract the Certificate

Use an FTP client (such as the Reflection FTP client or Microsoft Windows FTP client) to transfer the self-signed certificate file to the client computer, and then follow these steps to integrate it with Internet Explorer:

  1. In Windows, click Start > Control Panel > Internet Options.
  2. On the Content tab, click Certificates.
2214_0.gif
  1. On the Trusted Root Certification Authorities tab, click Import > Next.
2214_1.gif
  1. Click Browse. Browse for and select your self-signed certificate file, and then click Open.
2214_2.gif
  1. Click Next, and then click Finish.
  2. When asked, "Do you want to ADD the following certificate to the Root Store," click Yes.
2214_3.gif

The new certificate is displayed in the Trusted Root Certification Authorities list.

Create a Client Certificate

Client certificates are not required to establish SSL connections using Reflection for IBM. However, if client certificates are required in your network environment, see KB 7021686, which describes how to create and import a client certificate for use connecting to z/OS using SSL and Reflection for IBM.

Make a Connection

To make an SSL connection using Reflection Desktop 16, Reflection 2014, Reflection for IBM 2014, or Reflection for IBM 2011:

  1. Start Reflection.

By default, Reflection opens by displaying the Create New Document dialog box. (Alternate navigation to Create New Document: click the upper-left icon and click New.)

  1. Click 3270 Terminal. Click the Create button (lower right).
  1. In the Host name/IP address field, enter the name of your mainframe as it appears in the Common Name field of the self-signed certificate. Typically, this is the fully qualified host name.
  2. In the Port field, enter the mainframe's secure port number (23001 in the earlier example).
  3. In the bottom-left, select the check box to Configure additional settings. Click OK.
  1. In the Settings dialog box under Host Connection, click Set up Connection (or 3270) Security.
View Full Size
2214_6.gif

This link is a shortcut to the Security section of the Configure Advanced Connection (or 3270) Settings dialog box.

  1. Click Security Settings.
  2. Select the check box to Use SSL/TLS security. For testing purposes, leave the Encryption strength at Default.
  1. Click OK, and OK again to Connect.

Once you have successfully connected, a blue and gray padlock icon displays in the Reflection display status bar, indicating that your connection is secure.

2214_8.gif

Additional Information

Legacy KB ID

This document was originally published as Attachmate Technical Note 2214.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.