Client Certificates for TN3270 Connections

  • 7021686
  • 28-Aug-2003
  • 01-Apr-2018


Reflection 2014
Reflection for IBM 2014
Reflection for IBM 2011
Reflection for IBM version 14.x
Reflection Standard Suite 2011


Client certificates are NOT required to establish SSL connections using Reflection for IBM; however, if client certificates are required in your network environment, this document describes how to import a client certificate to be used for SSL connections from Reflection for IBM to z/OS.

Important: This technical note covers configuring the client certificate only. For full details on configuring your systems to allow users to connect to z/OS using SSL and Reflection for IBM, see Technical Note 1744 for Reflection for IBM 14.x or KB 7021499 for Reflection for IBM 2011, 2008, or 2007.


Adding the Client Certificate to the Internet Explorer Store

Follow the steps below to add the client certificate (which contains encrypted versions of both the public and private key) to the Internet Explorer store.

  1. Double-click client certificate file.

Note: The client certificate file may be a P7B, SST, P12, or PFX file.

  1. In the Certificate Import Wizard, click Next twice to access the Password dialog box.
  2. In the Password field, enter the client certificate's password (established when the certificate was created), select Enable strong private key protection, and then click Next.

Note: Enable strong private key protection is not required, but is recommended.

  1. Select ‘Automatically select the certificate store based on the type of certificate’, and Next.
  2. Click Next and then Finish.
  3. In the ‘Importing a new private exchange key’ dialog box, click Set Security Level.
  4. Select the security level that meets your needs, and then click Next.

High security prompts for the key's password each time it is used. If you select this option, you will be prompted to create a password to protect this item. Fill in the required fields, and then click Next.

Medium does not prompt for the password, but does notify you when they key is used. Either option works with Reflection for IBM's SSL encryption.

  1. Click Finish, and you will be returned to the ‘Importing a new private exchange key’ dialog box.
  2. Click OK.
  3. You will now see a pop-up box stating that "The import was successful." Click OK.

Modifying the TCP/IP Profile Dataset

TN3270 server on z/OS must be configured to support SSL connections and client certificates.

For details on configuring the profile dataset for SSL connections, see KB 7021681 for Reflection for IBM 14.x or KB 7021499 for Reflection for IBM 2007, 2008 and 2011.

To add support for your client certificate, add one of the following parameters to TELNETPARMS section of your host's PROFILE.TCPIP dataset:




Use CLIENTAUTH SSLCERT if you want to check for a valid certificate.

Use CLIENTAUTH SAFCERT if you want to check for a valid certificate and require that the certificate is known by RACF.

The following is a generic example of a TCPIP.PROFILE.TCPIP dataset that has been configured for SSL support and a client certificate using the CLIENTAUTH SAFCERT parameter (use this example only as a guide when configuring your dataset).

  KEYRING SAF TN3270RING          ; RACF keyring name 
  SECUREPORT 23001              ; Secure port number
  TIMEMARK 28800
PORT 23 23001                   ; Add entry for secure port.
  TELNETDEVICE 3278-3-E NSX32703 
  TELNETDEVICE 3279-3-E NSX32703 

Additional Information

Legacy KB ID

This document was originally published as Attachmate Technical Note 1757.