Reflection for IBM 2014
Reflection for IBM 2011
Reflection for IBM version 14.x
Reflection Standard Suite 2011
Client certificates are NOT required to establish SSL connections using Reflection for IBM; however, if client certificates are required in your network environment, this document describes how to import a client certificate to be used for SSL connections from Reflection for IBM to z/OS.
Important: This technical note covers configuring the client certificate only. For full details on configuring your systems to allow users to connect to z/OS using SSL and Reflection for IBM, see Technical Note 1744 for Reflection for IBM 14.x or KB 7021499 for Reflection for IBM 2011, 2008, or 2007.
Adding the Client Certificate to the Internet Explorer Store
Follow the steps below to add the client certificate (which contains encrypted versions of both the public and private key) to the Internet Explorer store.
- Double-click client certificate file.
Note: The client certificate file may be a P7B, SST, P12, or PFX file.
- In the Certificate Import Wizard, click Next twice to access the Password dialog box.
- In the Password field, enter the client certificate's password (established when the certificate was created), select Enable strong private key protection, and then click Next.
Note: Enable strong private key protection is not required, but is recommended.
- Select âAutomatically select the certificate store based on the type of certificateâ, and Next.
- Click Next and then Finish.
- In the âImporting a new private exchange keyâ dialog box, click Set Security Level.
- Select the security level that meets your needs, and then click Next.
High security prompts for the key's password each time it is used. If you select this option, you will be prompted to create a password to protect this item. Fill in the required fields, and then click Next.
Medium does not prompt for the password, but does notify you when they key is used. Either option works with Reflection for IBM's SSL encryption.
- Click Finish, and you will be returned to the âImporting a new private exchange keyâ dialog box.
- Click OK.
- You will now see a pop-up box stating that "The import was successful." Click OK.
Modifying the TCP/IP Profile Dataset
TN3270 server on z/OS must be configured to support SSL connections and client certificates.
To add support for your client certificate, add one of the following parameters to TELNETPARMS section of your host's PROFILE.TCPIP dataset:
Use CLIENTAUTH SSLCERT if you want to check for a valid certificate.
Use CLIENTAUTH SAFCERT if you want to check for a valid certificate and require that the certificate is known by RACF.
The following is a generic example of a TCPIP.PROFILE.TCPIP dataset that has been configured for SSL support and a client certificate using the CLIENTAUTH SAFCERT parameter (use this example only as a guide when configuring your dataset).
KEYRING SAF TN3270RING ; RACF keyring name
SECUREPORT 23001 ; Secure port number
WLMCLUSTERNAME TN3270E ENDWLMCLUSTERNAME
PORT 23 23001 ; Add entry for secure port.
TELNETDEVICE 3278-3-E NSX32703
TELNETDEVICE 3279-3-E NSX32703