SSL on z/OS

[Nolan]

It was going smoothly, till I tried to log in!  I get  'Connection cannot be established ....' with no messages in STC or system log table.

ars.ini
SSL_PORT=1446                 
SSL_KEYRING_FILE=ssltring     
SSL_KEYRING_LABEL=PP1TSERV_TEST
SSL_CLNT_USE_SSL=0             

List of Cert in ondemand.kdb (we have internally trusted certs, so I added them to the db)
!       RBC.ROOT
!       RBC.INT1
!       RBC.INT2
!       PP1TSERV_TEST

Client
Use Secure Sockets Layer is enabled.

Any suggestions on how I can trace what is not set up right?

Thanks

[Justin Derrick]

It looks like you're using custom/internal Certificates, and not the default ones that are included in the GSKit.  You need to add these certificates to the Client's certificate chain in order to be able to connect to a server that's using a different certificate chain.

-JD.

[Nolan]

I had added them; RBC.ROOT and RBC.INT1/2 were supposed to create the trust chain.  When I run the validate commands

ROOT:  validates ok.

INT: 
CTGSK2052W An invalid basic constraint extension was found.
CTGSK2052W An invalid basic constraint extension was found.

Google hasn't helped me figure out how to fix it. 

I opened a PMR, hoping for help there

[Justin Derrick]

I found this, which seems to have a solution...

https://developer.ibm.com/answers/questions/271880/ctgsk2052w-error-from-runmqakm-when-using-8002-and.html

"-ca true" is missing from the documentation in this thread.

-JD.

[Nolan]

Thanks, I had also seen that thread but -ca true gives invalid parm.  The option -trust enable is what I used but it is now deprecated. 

It does list it in the details that ca = true

basicConstraints
        ca = true
        pathLen = 1633108

PMR opened.  Will let you know when I find the solution.

[Justin Derrick]

Yeah, the PMR is the way to go, but I'll caution you that GSKit doesn't get a lot of love from IBM in terms of updates.  Even really bad bugs persist for months at a time -- although I suppose the reason is that they're trying to fix it right, which is precisely what you want with an encryption library. 

-JD.

[Ed_Arnold]

Hmmm -  i have the following:

SSL_KEYRING_FILE=ARSSOC95.SSLRING

which was created by:

RACDCERT ID(ARSSV950) ADDRING(ARSSOC95.SSLRING)

You have:

SSL_KEYRING_FILE=ssltring   

a) make sure the case is correct as I think it's case sensitive

b) try adding the server instance owner to that parm with a slash as a delimiter, for example

SRVR_INSTANCE_OWNER=ARSSERVR

SSL_KEYRING_FILE=ARSSERVR/ssltring
________

Also, run the display commands I have here...

http://www.odusergroup.org/forums/index.php?topic=1987.msg9972#msg9972

...and make sure what you see makes sense.

Ed

[Nolan]

I have had a few more bumps on this ride.

We are using internal certificates and the GSK8 is not handling the chain of certificates.  For some reason, our ROOT is not marked critical for BasicConstraints extension and our intermediate is.  Not sure yet how to resolve that.  Hoping the PMR will advise how to handle it.

I did revert to a Self Signed certificate using the gskkyman method.  Following that, I was able to setup SSL from the client to the server successfully.
Note in Step 2 in the guide, it is missing instructions to create the stash file.
From the main gskkyman pannel do 2. Open DB, enter the db name, enter the password, select 10 to store database password.
It will display the path and file name of the stash file required for your ars.ini in Step 3.

Now, I have a problem with my remote loading of PDF documents where it is now picking up extra characters to the AG name causing it to fail.  Will start looking at the local report specification exit. 

[Ed_Arnold]

Had a question posed to me:

But I came across following note on IBM site..
============================================================
SSL improves security by encrypting and decrypting data across the network. The encryption and decryption occur at the application layer, which consumes the additional processing cycles for both the sending and receiving systems. Therefore, consider using SSL only for sessions where it is needed. Consider adding additional processor resources on the Content Manager OnDemand server or clients to manage the increased overhead processing.
============================================================

So the question is, what about SSL and z crypto hardware?

If everything is set up correctly, yes the SSL processing should use the hardware.

More about when hardware gets used for SSL at https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.gska100/sssl2d3998602.htm . There is a lot of 'If things are" in there - meaning things have to be set up correctly.

On z/OS CMOD uses System SSL. On MP (Linux/Unix/Windows) it uses gskit. 

z System SSL lets you use a RACF keyring, a key database file (gskkyman), or a PKCS#12 file. Assuming you use SSL for other things, recommend putting the CMOD certificates in the same place as the SSL certs for the other things (RACF, kdb, or pkcs#12). Having your certificates in one place should make maintenance easier (e.g. expiring certs).

The CMOD ars.ini SSL_KEYRING_FILE identifies what the keystore is. CMOD just passes the value to SSL, and SSL figures out what it is. A RACF keyring would look like ARSUSER/KEYRING. A .kdb would look like /usr/lpp/ars/foo.kdb. A PKCS#12 token looks like *TOKEN*/token-name.

See the description of GSK_KEYRING_FILE at https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.gska100/sssl2api1065103.htm

Ed