Configuring client authentication with PKCS12

Use these instructions to configure the client to connect to z/OS by using secure sockets layer (SSL) client authentication with a locally installed PKCS12 file generated from a RACF certificate.

Host SSL configuration

Before you configure SSL on the client, you must configure the z/OS server for SSL. The instructions for configuring the host are in the IBM® Explorer for z/OS Host Configuration Guide in ssl.properties, the RSE encrypted communication. This configuration is done by a z/OS system administrator with the assistance of a security administrator. If you are unsure if the z/OS system has been configured for SSL, check with your z/OS system administrator.

Configuring a new z/OS connection for SSL

To define a new connection to a z/OS system that is configured for SSL, do these steps:
  1. In the Remote Systems view, click Define a connection to a remote system Define a connection to a remote system and double-click z/OS.
  2. In the New Connection window, select z/OS and click Next.
    Tip: If you are creating a connection for the first time, you are prompted to create a profile before you can create the new connection. After you create the connection, you can share this profile to allow other users to have this connection in their Remote Systems view.
  3. Enter the following values in the fields on this window.
    Host name
    The TCP/IP address of the z/OS system.
    Connection name
    A name for the system, for example, new.zos.system.connection. This field defaults to the host name.
    Description
    A description of the connection.
    Verify host name
    Select this checkbox to verify that the host name is valid before you connect.
  4. Click Next.
  5. On the Connection Configuration page, specify these options:
    • Daemon Port: Specify a valid port number. Consult your z/OS system administrator for the port number to use.
    • Authentication method:Select certificate to use client certificate authentication.
  6. Click Finish.
  7. To configure the client certificate, follow the instructions in Configuring the client certificate.

Configuring SSL on an existing z/OS connection

If you already have a z/OS connection defined, and you want to change the connection properties to use SSL, do these steps:
  1. In the Remote Systems view, right-click the connection name and select Properties.
  2. In the navigation pane of the Properties window, select Connector Services.
  3. Expand the entries in the Available Services list and click Launcher Properties.
  4. In the Authentication method row of the Properties table, click the Value cell, then expand the drop-down list and select certificate.
  5. Click Apply and Close.
  6. To configure the client certificate, follow the instructions in #configuring_pkcs12__d154e167.

Configuring the client certificate

  1. From the menu bar, click Window > Preferences.
  2. In the navigation pane of the Properties window, select Client Certificates.
  3. Specify these values on the Client Certificates Preferences page:
    • Java Cryptography Extension (JCE) Provider: IBMJCE
    • Keystore Type: PKCS12
    • hostIdMappings Object Identifier (OID): The OID value 1.3.18.0.2.18.1 can remain or be cleared so that there is no value. If the value is not cleared, the certificate must have this OID included. You can define multiple hostIdMappings if you need to access multiple z/OS systems or multiple applications, but only the first entry in the set of hostIdMappings is used. If the first entry is not the one that is authorized to the RSE server user ID, then the session fails with the error message checkCertificate:Invalid Certificate Exception: SERVAUTH Definition Error even if one of the additional entries maps to a valid SERVAUTH definition for the RSE server user ID.
  4. Click Apply and Close.
  5. To connect with the certificate, disconnect and then reconnect to the z/OS system. If the certificate is signed by its own CA or a self-signed certificate is used, then you are prompted to trust the certificate before connecting. If you are using a well-known CA, there is no prompt for the trust and the z/OS system is connected.