If you would like to use client certificate to access z/OSMF, the first 3 sections typically are mandatory unless you have already created and downloaded client certificate to the workstation. Depends on whether the client certificate is used in browser or a non-browser environment, you need either perform section 4 or section 5.
Section 1: Create client certificate
- Typically, z/OS administrator creates the client certificate and associate it with a user ID. Below is example of RACF commands:
RACDCERT ID(
IBMUSER) GENCERT SUBJECTSDN(CN('
User IBMUSER') O('
Your Company') OU('
Org A') C('
US')) WITHLABEL('
Certificate for IBMUSER') SIGNWITH(CERTAUTH LABEL('
zOSMFCA'))
Where the Distinguished Name consists of the:
- Common name (Domain Name): User IBMUSER.
- Organization name: Your Company.
- Optional organizational unit: Org A.
- Country code: US.
- User ID under which the client certificate is to be added: IBMUSER.
- Label of the client certificate: Certificate for IBMUSER.
- Label of the CA certificate that is used to sign the client certificate: zOSMFCA.
- The client certificate is created with status TRUST, which indicates that the client certificate can be used to authenticate for the user ID IBMUSER.
RACDCERT ALTER(LABEL('Certificate for IBMUSER')) TRUST
Section 2: Export the client certificate
- Export the client certificate to a z/OS data set. Below is example of RACF commands:
RACDCERT ID(IBMUSER) EXPORT(LABEL('Certificate for IBMUSER'))
DSN('IBMUSER.CLIENTCR.IBMUSER.P12') FORMAT(PKCS12DER) PASSWORD('Test1234')
Where:
- The user ID associated with the client certificate to be exported: IBMUSER.
- The label of the client certificate: Certificate for IBMUSER.
- The data set that will contain the client certificate. RACF command will auto-create this dataset: CLIENTCR.IBMUSER.P12.
- The client certificate and private key are DER encoded when saved to the data set, PKCS12DER.
- The password associated with the encrypted certificate is Test1234. You are required to provide this password when you import the client certificate into the browser. The password is case-sensitive.
Section 3: Download the client certificate to workstation
- Enter the FTP command and the host name or IP address of the server, for example, ftp hostname.com.
- When prompted, enter your user ID and password.
- Enter bin to transfer the file in binary format.
- Transfer the file to the workstation by entering get 'IBMUSER.CLIENTCR.IBMUSER.P12' IBMUSER.p12.
- Type quit to exit.
Section 4: Import client certificate to browser if you are accessing z/OSMF in a browser
If you are accessing z/OSMF with client certificate in a browser, you need to import the client certificate into your browser as below (Using Mozilla Firefox as example):
- Start the Firefox browser.
- Access the Certificate Manager by selecting Menu > Privacy & Security > Certificates > View Certificates
- Click Your Certificates
- Click Import to import the client certificate.
- Browse your PKCS12 (IBMUSER.p12) and select it.
- Click Open and enter the case sensitive password.
- Click OK to check the importing message.
- Click OK and verify that the certificate is shown in the list.
- You might need restart your browser.
Once the client certificate is imported to browser, browser will take care the use of client certificate. When accessing the z/OSMF server with the browser, you may see a popup dialog to make you decide whether to use client certificate to access the z/OSMF server. If your selection is yes, you can login the z/OSMF directly without inputting username and password.
For IE (Internet Explorer) browser, you can import the client certificate file (IBMUSER.p12) by double clicking it.
Section 5: Use client certificate in a program running in non-browser environment
- Typically, programming API to use client certificate needs separate input of certificate file and private key file. Therefore, you need to convert the P12 client certificate to separate files of PEM format. Please refer to below example, when you execute the command, the password (Test1234) associated with the encrypted certificate is required:
openssl pkcs12 -in
IBMUSER.p12 -out
ibmuser-crt.pem -clcerts -nokeysopenssl pkcs12 -in
IBMUSER.p12 -out
ibmuser-key.pem -nocerts -nodes
Where:
- The input IBMUSER.p12 is the client certificate with p12 format you downloaded to workstation earlier.
- The output certificate file: ibmuser-crt.pem.
- The output private key file: ibmuser-key.pem.
- With above PEM files, below is example code to use client certificate in Python language:
Code Example:
#!/usr/bin/env python3
my_header = {
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Referer': 'https://pev082.pok.ibm.com', #Your host name
'Connection': 'keep-alive',
'Cache-Control': 'max-age=0',
'Host':None
}
import requests
#URL you want to access
geturl ="https://pev082.pok.ibm.com/zosmf/LogManager"
#By default, you start to disable SSL verification
res = requests.get(geturl,cert=('xxx/xxx/ibmuser-crt.pem', 'xxx/xxx/ibmuser-key.pem'),headers=my_header,verify=False)
print(res.status_code)
print(res.text)