Robust SSL/TLS Trust Management for Secure Communications in HCL ZIE for Web Client

Introduction

Secure communication using SSL/TLS is a critical requirement for modern applications, ensuring the protection of sensitive data and maintaining trusted interactions between clients and servers. The ZIE for Web Client now provides flexible and robust SSL/TLS trust management, allowing it to operate securely across multiple platforms, including Windows and Linux environments such as RHEL and Ubuntu.

This enhancement enables the application to validate server certificates using multiple trust sources, all managed through straightforward configuration in the web.properties file. The outcome is a consistent, extensible, and enterprise-ready security framework.

Supported Trust Store Sources

The ZIE for Web Client can load and consolidate certificates from the following trust sources:

• Default JVM Keystore (cacerts)
• CustomizedCAs.JKS files
• Windows Certificate Store
• Well-known trusted Certificate Authorities (CAs)
• SAF Keyrings on IBM z/OS (RACF)

This multi-source trust model ensures seamless compatibility with public CAs, enterprise-issued certificates, and mainframe security frameworks.

Configuration Loader

Purpose

Reads SSL and trust-store-related settings from the web.properties and determines which trust sources are enabled.

Key Configuration Parameters

• ENABLE_DEFAULT_CACERTS – Enables the default JVM trust store (cacerts)
• ENABLE_CUSTOM_JKS – Enables the custom JKS file from the ZIE for Web server (CustomizedCAs.jks)
• ENABLE_WINDOWS_BROWSER – Enables the Windows trust store
• ENABLE_SAF_KEYRING – Enables the SAF keyring (z/OS only)
• ENABLE_WELLKNOWN_JKS – Enables the well-known trusted JKS file from the ZIE for Web server (WellKnownTrustedCAs.jks)
• SSLSAFKeyringID – Specifies the SAF keyring name
• SSLSAFKeyringOwnerID – Specifies the SAF keyring owner ID
• JRE_DEFAULT_KEYSTORE – Password for the JVM default keystore (cacerts)

Example: A sample web.properties file is provided below. Enable or disable the parameters as required.

HTTPS and Admin Console Configuration

SAF Keyring Configuration for ZOS

1. Configure the following parameters in the web.xml of the ZIE for Web client:

• SSLSAFKeyringID
• SSLSAFKeyringOwnerID

2. Import the web server’s self-signed certificate into the SAF keyring.

3. Ensure that all the required CA certificates for the web and application servers are present in the keyring.

4. Launch the application and verify access via:

• ZIE for Web Client
• ZIE for Web Client Admin Console

Conclusion

This enhancement applies specifically to the HTTP requests being secured. With this capability, the ZIE for Web Client delivers a powerful and flexible SSL/TLS trust model that operates seamlessly across platforms. By supporting multiple trust sources and consolidating them into a unified certificate validation mechanism, the solution provides a consistent, scalable, and enterprise-ready security framework.