Hi Brian,
could you send the RACDCERT command you used?
Cheers
Wolfgang
----- Original Message -----
From: <[EMAIL PROTECTED]>
Newsgroups: bit.listserv.ibm-main
To: <IBM-MAIN@BAMA.UA.EDU>
Sent: Tuesday, March 25, 2008 5:19 PM
Subject: Import Connect:Direct self-signed certificate into RACF?
Hi folks
Has anyone managed to successfully import into RACF a self-signed server
certificate generated by Sterling Commerce's Windows-based "Certificate
Wizard"?
I've been sent one by one of our customers; they use it on their
Windows-based C:D server, apparently quite successfully on their other C:D
sessions from that server. However I can't import the certificate into
RACF as a Certificate Signing Authority (CERTAUTH) as it issues message:
IRRD126I The certificate contains either a key usage or basic constraint
extension indicating that it may not be used as a Certificate Authority
certificate. The certificate is not added.
This seems fairly reasonable since the attributes of the certificate only
specify HANDSHAKE and DATAENCRYPT (not CERTAUTH), however, this is the
standard for a self-signed server certificate coming out of the
Certificate Wizard - in fact you can neither add nor remove attributes in
this case.
I've tried importing it as a personal certificate for our C:D server, and
it accepts that. I've tried putting it in the keyring as USAGE(PERSONAL),
and USAGE(CERTAUTH) but either way C:D fails to negotiate the session,
instead issuing message:
CSPA202E SSL handshake failure, reason=GSK_ERR_SELF_SIGNED
I've had a call open for some time now with Sterling's support and
although they're being very attentive and helpful, we're not managing to
fix this, and the suggestion now is that we need to find out why RACF is
not accepting the certificate, since Windows seems quite happy to do so.
Hopefully someone out there has done this (Windows C:D <-> z/OS C:D)
successfully and can tell me where I'm going wrong?
Cheers
Brian
-----------------------------------------
Email sent from www.virginmedia.com/email
Virus-checked using McAfee(R) Software and scanned for spam
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
