OnDemand User Group
Support Forums => z/OS Server => Topic started by: Greg Ira on March 11, 2016, 07:22:37 AM
-
Has anyone set up SSL on a z/OS CMOD server (V9.5)? Documentation is rather sparse regarding this and I'm quite unfamiliar with SSL in general. I think I've managed to set up the keyring file and stash file but I seem to be stuck getting beyond this point. For example, based on the config guide there is no way to specify a port for SSL. Any help would be appreciated.
Thanks
Greg
-
There's a document on how to do it, although it's rather incomplete.
https://developer.ibm.com/answers/storage/temp/4321-using-ssl-with-ibm-content-manager-ondemand.pdf
The most important tip I can give you is that you *MUST* use one the certificates listed in the PDF which are accepted by default with the IBM GSKit. Getting third party (or self-signed/internal) certificates working is painful, and there appears to be little to no documentation on adding new certificates to the Thick Client. (I didn't do the ODWEK piece, but I imagine that is equally nightmarish.)
As for assigning the port number, it's in the PDF link above, I think the parameter for ars.cfg is SSL_PORT.
-
Thanks! That's a lot more than I had before. I'll run through it and see what I can do. Thanks for the tips as well.
-
Hello Greg --- tons of disclaimers, this isn't my procedure, but you might give this a try:
Setting up RACF with a self-signed certificate.
From TSO option 6 run these series of RACF commands
For ARSSOC95 STC that runs under userid ARSSV950.
1. create a self-signed certificate:
RACDCERT CERTAUTH GENCERT
SUBJECTSDN(CN('ARSSOC95') O('IBM') C('US'))
WITHLABEL('ARSSOC95.CERT') ID(ARSSV950)
2. create ring (since one does not exist as far as I know)
RACDCERT ID(ARSSV950) ADDRING(ARSSOC95.SSLRING)
3. Connect certificate to the ring:
RACDCERT ID(ARSSV950) CONNECT(ID(ARSSV950) LABEL('ARSSOC95.CERT')
RING(ARSSOC95.SSLRING) DEFAULT)
4. Not necessary but why not see what we have by listing the certificate
RACDCERT ID(ARSSV950) LIST
Gives you this info
Digital certificate information for user ARSSV950:
Label: ARSSOC95.CERT
Certificate ID: 2QjB2eLi5fn18MHZ4uLWw/n1S8PF2eNA
Status: TRUST
Start Date: 2016/03/03 00:00:00
End Date: 2017/03/03 23:59:59
Serial Number:
>00<
Issuer's Name:
>CN=ARSSOC95.O=IBM.C=US<
Subject's Name:
>CN=ARSSOC95.O=IBM.C=US<
Signing Algorithm: sha1RSA
Key Type: RSA
Key Size: 1024
Private Key: YES
Ring Associations:
Ring Owner: ARSSV950
Ring:
>ARSSOC95.SSLRING<
5. Export the certificate to a dataset.
RACDCERT ID(ARSSV950) EXPORT(LABEL('ARSSOC95.CERT')) DSN(CERT.TEXT)
FORMAT(CERTB64)
Now I have dataset: MYUSER.CERT.TEXT
Taking a peek inside I see
-----BEGIN CERTIFICATE-----
MIICNDCCAZ2gAwIBAgIBADANBgkqhkiG9w0BAQUFADAuMQswCQYDVQQGEwJVUzEM
MAoGA1UEChMDSUJNMREwDwYDVQQDEwhBUlNTT0M5NTAeFw0xNjAzMDMwNTAwMDBa
Fw0xNzAzMDQwNDU5NTlaMC4xCzAJBgNVBAYTAlVTMQwwCgYDVQQKEwNJQk0xETAP
BgNVBAMTCEFSU1NPQzk1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJT776
/4A3NQJiWqU0XCwcJxxxu0R8/ddxVKS7AibVN/GBDzugjbLcVFyWs0dCGiWiL3kZ
KRniG54qqfzW2mneDnUB/UfoLH7HZoLKPWrmqmFK8v23ZxvmHzuJ2Rbz2ZjCvkH0
ZMa7JZmUDvcH8R08N46U65x6rVZsDNHHRllmXQIDAQABo2IwYDA/BglghkgBhvhC
AQ0EMhYwR2VuZXJhdGVkIGJ5IHRoZSBTZWN1cml0eSBTZXJ2ZXIgZm9yIHovT1Mg
KFJBQ0YpMB0GA1UdDgQWBBRH4N+n1DfX+rerRHzi3zJ/0oa9yzANBgkqhkiG9w0B
AQUFAAOBgQBGm2dADvz/uZeerFtFmdzUdo821Hfsts+h/TEEot0QEztlQJfyxgNK
mlwNuZhanujXaKKp00eXQYLTT1NGlSRA/nLs7OC60IKIYCGTaR6CNR2NDiBiNeuY
6TU/bVxOdEEtMtij4LmuTnVmOdtO954vmxKD3H0ELrwox2v9+T7ywg==
-----END CERTIFICATE-----
Setting up the ARSSOC95 server with SSL port
1. Edit ars.ini and for ARCH950 instance add these lines.
SSL_PORT=11449
SSL_KEYRING_FILE=ARSSOC95.SSLRING
SSL_KEYRING_LABEL=ARSSOC95.CERT
2. Restart ARSSOC95 to pick up the ars.ini change.
Set up the client for SSL.
1. Get the certificate from z/OS to the desktop via FTP
open command window in the directory: C:\Program Files (x86)\IBM\OnDemand Clients\V9.5\config
ascii ftp to get certificate into that directory.
C:\Program Files (x86)\IBM\OnDemand Clients\V9.5\config>ftp host.xxx.com
Connected to host.xxx.com.
220-FTPD1 IBM FTP CS V2R1 at HOST.XXX.COM, 08:56:18 on 2016-03-04.
220 Connection will close if idle for more than 5 minutes.
User (host.xxx.com:(none)): myuser
331 Send password please.
Password:
230 MYUSER is logged on. Working directory is "MYUSER.".
ftp> ascii
200 Representation type is Ascii NonPrint
ftp> get 'MYUSER.CERT.TEXT' cert.txt
200 Port request OK.
125 Sending data set MYUSER.CERT.TEXT
250 Transfer completed successfully.
ftp: 840 bytes received in 0.00Seconds 420.00Kbytes/sec.
ftp> quit
221 Quit command received. Goodbye.
2. While still in the command window add the gsk8 directories to the path.
C:\Program Files (x86)\IBM\OnDemand Clients\V9.5\config>set PATH=%PATH%;C:\Program Files (x86)\IBM\gsk8\bin;C:\Program Files (x86)\IBM\gsk8\lib
3. Now to perform some gskit magic.
C:\Program Files (x86)\IBM\OnDemand Clients\V9.5\config>gsk8capicmd -keydb -create -db "ondemand.kdb" -pw "myKeyDBpasswd" -stash -populate
C:\Program Files (x86)\IBM\OnDemand Clients\V9.5\config>gsk8capicmd -cert -add -db "ondemand.kdb" -pw "myKeyDBpasswd" -label "ARSSOC95.CERT"
-file cert.txt -format ascii
4. Time to configure the client.
Change to the port number specified above for SSL, SSL_PORT=11449, and check the "Use Secure Sockets Layer" check box.
Give that a try.
Ed
-
3. Now to perform some gskit magic.
I think this may be most documentation for configuring the CMOD client for SSL anywhere on the planet.
I went through this configuring-CMOD-with-self-signed-certficates-from-a-corporate-certificate-authority two years ago, and it was brutal.
-JD.
-
C:\Program Files (x86)\IBM\OnDemand Clients\V9.5\config>set PATH=%PATH%;C:\Program Files (x86)\IBM\gsk8\bin;C:\Program Files (x86)\IBM\gsk8\lib
C:\Program Files (x86)\IBM\OnDemand Clients\V9.5\config>gsk8capicmd -cert -list -db ondemand.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
! "Entrust.net Secure Server Certification Authority"
! "Entrust.net Certification Authority (2048)"
! "Entrust.net Client Certification Authority"
! "Entrust.net Global Client Certification Authority"
! "Entrust.net Global Secure Server Certification Authority"
! "VeriSign Class 1 Public Primary Certification Authority"
! "VeriSign Class 2 Public Primary Certification Authority"
! "VeriSign Class 3 Public Primary Certification Authority"
! "VeriSign Class 1 Public Primary Certification Authority - G2"
! "VeriSign Class 2 Public Primary Certification Authority - G2"
! "VeriSign Class 3 Public Primary Certification Authority - G2"
! "VeriSign Class 4 Public Primary Certification Authority - G2"
! "VeriSign Class 1 Public Primary Certification Authority - G3"
! "VeriSign Class 2 Public Primary Certification Authority - G3"
! "VeriSign Class 3 Public Primary Certification Authority - G3"
! "VeriSign Class 3 Public Primary Certification Authority - G5"
! "VeriSign Class 4 Public Primary Certification Authority - G3"
! "Thawte Primary Root CA"
! "Thawte Primary Root CA - G2 ECC"
! "Thawte Server CA"
! "Thawte Premium Server CA"
! "Thawte Personal Basic CA"
! "Thawte Personal Freemail CA"
! "Thawte Personal Premium CA"
! ARSSOC95.CERT
C:\Program Files (x86)\IBM\OnDemand Clients\V9.5\config>gsk8capicmd -cert -details -db ondemand.kdb -stashed -label ARSSOC95.CERT
Label : ARSSOC95.CERT
Key Size : 1024
Version : X509 V3
Serial : 00
Issuer : CN=ARSSOC95,O=IBM,C=US
Subject : CN=ARSSOC95,O=IBM,C=US
Not Before : March 2, 2016 9:00:00 PM PST
Not After : March 3, 2017 8:59:59 PM PST
Ed
-
Thanks Ed. Good info
-
Ed,
Do you know if the method of defining the keyring and cert through RACF should work even if we are only using CMOD internal security and don't have ARSUSECZ enabled?
-
Ed,
Do you know if the method of defining the keyring and cert through RACF should work even if we are only using CMOD internal security and don't have ARSUSECZ enabled?
As Calvin of Calvin and Hobbes would say, "Oog."
In other words that's a set up that I haven't heard of anyone trying yet.
Ed
-
If you're going to work with SSL at all the easiest thing to do is to put the bin and lib in the PATH variable for the system.
For example, here on my work laptop, this is my PATH variable:
C:\Program Files\Intel\WiFi\bin\;C:\Program Files\Common Files\Intel\WirelessCommon\;C:\Program Files (x86)\IBM\gsk8\bin;C:\Program Files (x86)\IBM\gsk8\lib
Note the semicolons separating the entries.
_____________
To verify that the PATH is set up correctly, whether you do it dynamically or via the PATH environment variable, open up a command prompt (no need to cd anywhere) and type in:
gsk8capicmd -version
If that doesn't provide a reasonable answer then cd to where you have the dll's installed and try that command again. On my system that would be
C:\Program Files (x86)\IBM\gsk8\lib\
If it works this time then you have a PATH problem.
______
If you don't have a PATH problem Level 2 will probably want the output of the following command (found in the \lib directory):
gsk8ver (or gsk8ver_64 if it is 64-bit Windows)
______
Side note: I tried this with the just released 9.5.0.5 Windows Client and everything works fine.
Ed
-
Just as a follow up to this. We finally got this working so I tried consolidating the information into a single document (attached).
Thanks for everyone's assistance on this.
-
Hi Ed (and all)
Do you know if this works with a SITE certificate? We'd like to share the cert for batch usage.
Thanks!
-
Hi Ed (and all)
Do you know if this works with a SITE certificate? We'd like to share the cert for batch usage.
Thanks!
Jeff - is what you're doing basically the same thing that I did here:
http://www.odusergroup.org/forums/index.php?topic=2296 (http://www.odusergroup.org/forums/index.php?topic=2296)
Ed
-
Jeff -
z/OS Security Server RACF Security Administrator's Guide
Site certificate
A certificate that is associated with an off-platform server or other network
entity, such as a peer VPN server. This category of certificate can also be
used to share a single certificate and its private key among multiple RACF
user IDs. When used for sharing, a certificate might be referred to as a
placeholder certificate.
When googling, I found this:
RACF and SSL Security With Digital Certificates
http://ibmsystemsmag.com/CMSTemplates/IBMSystemsMag/Print.aspx?path=/mainframe/tipstechniques/systemsmanagement/RACF-and-SSL-Security-With-Digital-Certificates (http://ibmsystemsmag.com/CMSTemplates/IBMSystemsMag/Print.aspx?path=/mainframe/tipstechniques/systemsmanagement/RACF-and-SSL-Security-With-Digital-Certificates)
Is what you're trying to do the same problem as an FTP client connecting to an FTP server on the same LPAR?
When using FTP under z/OS to connect to a remote system (whether it’s another z/OS system or not), and still using only server certificates, our client again needs to have knowledge of the remote servers’ certificate in order to validate it.
Ah, but isn't what you're trying to do to connect to a local system?
...you’ll have been given the CA certificate for the site to which you’re connecting.
Could it possibly be as easy as the RACF commands under here:
To accept a self-signed certificate from a server, use the following RACF definitions:
These are really RACF questions. There used to be a RACF user group out on the forums, I believe. Maybe ask on IBM-MAIN?
Be sure to watch the system console for RACF error messages like the one I received for "INSUFFICIENT ACCESS AUTHORITY".
Please let us know what you've tried.
Ed
-
Thanks all for posting this very timely guide. I am setting it up now in our shop and will advise of surprises or updates required.
The only thing I have noted is that my gsk8 exe files are in the bin path and the dlls are in the lib path. I had to copy the exe to the lib path to run commands.
-
It was going smoothly, till I tried to log in! I get 'Connection cannot be established ....' with no messages in STC or system log table.
ars.ini
SSL_PORT=1446
SSL_KEYRING_FILE=ssltring
SSL_KEYRING_LABEL=PP1TSERV_TEST
SSL_CLNT_USE_SSL=0
List of Cert in ondemand.kdb (we have internally trusted certs, so I added them to the db)
! RBC.ROOT
! RBC.INT1
! RBC.INT2
! PP1TSERV_TEST
Client
Use Secure Sockets Layer is enabled.
Any suggestions on how I can trace what is not set up right?
Thanks
-
It looks like you're using custom/internal Certificates, and not the default ones that are included in the GSKit. You need to add these certificates to the Client's certificate chain in order to be able to connect to a server that's using a different certificate chain.
-JD.
-
I had added them; RBC.ROOT and RBC.INT1/2 were supposed to create the trust chain. When I run the validate commands
ROOT: validates ok.
INT:
CTGSK2052W An invalid basic constraint extension was found.
CTGSK2052W An invalid basic constraint extension was found.
Google hasn't helped me figure out how to fix it. :(
I opened a PMR, hoping for help there :)
-
I found this, which seems to have a solution...
https://developer.ibm.com/answers/questions/271880/ctgsk2052w-error-from-runmqakm-when-using-8002-and.html
"-ca true" is missing from the documentation in this thread.
-JD.
-
Thanks, I had also seen that thread but -ca true gives invalid parm. The option -trust enable is what I used but it is now deprecated.
It does list it in the details that ca = true
basicConstraints
ca = true
pathLen = 1633108
PMR opened. Will let you know when I find the solution.
-
Yeah, the PMR is the way to go, but I'll caution you that GSKit doesn't get a lot of love from IBM in terms of updates. Even really bad bugs persist for months at a time -- although I suppose the reason is that they're trying to fix it right, which is precisely what you want with an encryption library. :)
-JD.
-
Hmmm - i have the following:
SSL_KEYRING_FILE=ARSSOC95.SSLRING
which was created by:
RACDCERT ID(ARSSV950) ADDRING(ARSSOC95.SSLRING)
You have:
SSL_KEYRING_FILE=ssltring
a) make sure the case is correct as I think it's case sensitive
b) try adding the server instance owner to that parm with a slash as a delimiter, for example
SRVR_INSTANCE_OWNER=ARSSERVR
SSL_KEYRING_FILE=ARSSERVR/ssltring
________
Also, run the display commands I have here...
http://www.odusergroup.org/forums/index.php?topic=1987.msg9972#msg9972 (http://www.odusergroup.org/forums/index.php?topic=1987.msg9972#msg9972)
...and make sure what you see makes sense.
Ed
-
I have had a few more bumps on this ride.
We are using internal certificates and the GSK8 is not handling the chain of certificates. For some reason, our ROOT is not marked critical for BasicConstraints extension and our intermediate is. Not sure yet how to resolve that. Hoping the PMR will advise how to handle it.
I did revert to a Self Signed certificate using the gskkyman method. Following that, I was able to setup SSL from the client to the server successfully.
Note in Step 2 in the guide, it is missing instructions to create the stash file.
From the main gskkyman pannel do 2. Open DB, enter the db name, enter the password, select 10 to store database password.
It will display the path and file name of the stash file required for your ars.ini in Step 3.
Now, I have a problem with my remote loading of PDF documents where it is now picking up extra characters to the AG name causing it to fail. Will start looking at the local report specification exit. ::)
-
Had a question posed to me:
But I came across following note on IBM site..
============================================================
SSL improves security by encrypting and decrypting data across the network. The encryption and decryption occur at the application layer, which consumes the additional processing cycles for both the sending and receiving systems. Therefore, consider using SSL only for sessions where it is needed. Consider adding additional processor resources on the Content Manager OnDemand server or clients to manage the increased overhead processing.
============================================================
So the question is, what about SSL and z crypto hardware?
If everything is set up correctly, yes the SSL processing should use the hardware.
More about when hardware gets used for SSL at https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.gska100/sssl2d3998602.htm (https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.gska100/sssl2d3998602.htm) . There is a lot of 'If things are" in there - meaning things have to be set up correctly.
On z/OS CMOD uses System SSL. On MP (Linux/Unix/Windows) it uses gskit.
z System SSL lets you use a RACF keyring, a key database file (gskkyman), or a PKCS#12 file. Assuming you use SSL for other things, recommend putting the CMOD certificates in the same place as the SSL certs for the other things (RACF, kdb, or pkcs#12). Having your certificates in one place should make maintenance easier (e.g. expiring certs).
The CMOD ars.ini SSL_KEYRING_FILE identifies what the keystore is. CMOD just passes the value to SSL, and SSL figures out what it is. A RACF keyring would look like ARSUSER/KEYRING. A .kdb would look like /usr/lpp/ars/foo.kdb. A PKCS#12 token looks like *TOKEN*/token-name.
See the description of GSK_KEYRING_FILE at https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.gska100/sssl2api1065103.htm (https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.gska100/sssl2api1065103.htm)
Ed