SAF Keyring for ZIETrans Telnet Connection
When deployed in a z/OS environment, the ZIETrans application can leverage SAF Keyring for a secure Telnet connection.
This option configures the application to use a SAF-managed keyring for secure communications with the mainframe host in z/OS. This functionality is available only when the JSSE (Java Secure Socket Extension) security provider is selected.
The following screen shows the configuration options required to enable the SAF keyring for the ZIETrans application:
When the user provides the Keyring Name and Owner ID, the system utilizes these values to precisely locate and access the correct keyring within the z/OS environment. This allows the application to securely retrieve the required certificates to establish an encrypted connection with the mainframe.
- Keyring Name
-
A unique identifier assigned to the SAF keyring. In RACF, this name is specified using the
RACDCERT ADDRING()command when the keyring is created. Provide the exact name of the keyring, as it is case-sensitive.
- Owner ID
-
The specific RACF user ID that holds ownership and administrative permissions for the SAF keyring. The application combines this ID with the Keyring Name to locate the correct resource and verify access rights.
The keyring should be configured in z/OS to support either client authentication or server authentication, based on the security requirements. The User ID under which the application server Java process (where ZIETrans is deployed) is running must have the following permissions:
FACILITY Class: READ access to IRR.DIGTCERT.LISTRING.
RDATALIB Class: UPDATE access to the profile <OwnerID>.<RingName>.LST
Please refer to the URLs below for instructions on creating the SAF Keyring with appropriate permissions.
https://www.ibm.com/docs/en/semeru-runtime-ce-z/17.0.0?topic=guide-saf