Hi Colin, Yes I read your info and it was super helpful, but I could get past not having the ability for all PC's to do an HTTPS TLS 1.2 connection from a browser.
For example. Label:Corporate Root CA Certificate ID:2QiJmZmDhZmjgcOWmZeWmYGjhUDZlpajQMPB Status:TRUST Start Date:2015/08/14 13:27:47 End Date: 2114/08/14 13:37:46 Serial Number:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Issuer's Name:CN=COV1CERT01VM Subject's Name:CN=COV1CERT01VM Label:Corporate IMMED CA Certificate ID:2QiJmZmDhZmjgcOWmZeWmYGjhUDJ1NTFxEDDwUBA Status:TRUST Start Date:2016/04/25 13:00:14 End Date: 2114/08/14 13:37:46 Serial Number:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Issuer's Name:CN=COV1CERT01VM Subject's Name:CN=NRC1CERT03VM.am.tsacorp.com Label:ACWA Client Cert Certificate ID:2Qfj4uLjxeLBwcPmwUDDk4mFlaNAw4WZo0BA Status:TRUST Start Date:2021/08/11 08:34:50 End Date: 2023/08/11 08:34:50 Serial Number:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Issuer's Name:CN=NRC1CERT03VM.am.tsacorp.com Subject's Name:CN=MFZ900ACWA.AM.TSACORP.COM Subject's AltNames: ,IP:10.x.xx.xxx ,Domain: MFZ900ACWA.AM.TSACORP.COM And lastly my keyring owned by IZUSVR Ring: ,IZUKeyring.IZUDFLT Certificate Label Name Cert Owner USAGE DEFAULT --------------------------------- ----------- -------- -------- ,Corporate Root CA ,CERTAUTH ,CERTAUTH ,NO ,Corporate IMMED CA ,CERTAUTH ,CERTAUTH ,NO ,ACWA Client Cert ,ID(TSSTESA) ,PERSONAL ,YES Ms Terri E Shaffer Senior Systems Engineer, z/OS Support: ACIWorldwide – Telecommuter H(412-766-2697) C(412-519-2592) terri.shaf...@aciworldwide.com -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Colin Paice Sent: Friday, August 13, 2021 9:13 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: z/OSMF Certificates External Email Terri, I too had problems and wrote A practical guide to getting z/OSMF working <https://colinpaice.blog/2020/12/21/a-practical-guide-to-getting-z-osmf-working/> it mentions certificates. It sounds like someone is trying to connect to your server. The CAs for this user are not in the server's keyring. Can you list your client's certificate and see the CA's for the client cert? on z try RACDCERT LISTRING(IZUKeyring.IZUDFLT ID(IZUSVR) to see what is in RACF. What are you using on your client - browser or python etc? regards Colin On Fri, 13 Aug 2021 at 13:59, Shaffer, Terri < 0000017d5f778222-dmarc-requ...@listserv.ua.edu> wrote: > So I am no expert when it comes to certificates, So maybe someone can > shed some light for me. > > By default z/OSMF is configured with a CA or ZOSMFCA label. That > doesn't work or maybe seem to work for me. I can generate a client > certificate from it and download to me PC but will never establish an > SSL TLS 1.2 connection. I also done have admin rights, so even if I > could it would only be for me, at least I think. > > So my corporate network team, gave me a root and immediate CA and then > generated a client certificate for me. > > I imported them to RACF as trusted and built my z/OSMF key ring off > those, which seemed to work... > > However now I am getting > > [ERROR ] CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN > CN=xxx.xxx.xxx.xxx my IP > The signer might need to be added to local trust store > safkeyringhybrid://IZUSVR/IZUKeyring.IZUDFLT, located in SSL > configuration alias izuSSLConfig. > The extended error message from the SSL handshake exception is: PKIX > path building failed: > com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid > certification path to requested target. > > Which I guess makes sense because my network team gave me all the Certs. > But is there a way to resolve this so all users get a TLS 1.2 htps > connection? > > Ms Terri E Shaffer > Senior Systems Engineer, > z/OS Support: > ACIWorldwide - Telecommuter > H(412-766-2697) C(412-519-2592) > terri.shaf...@aciworldwide.com > > ________________________________ > [https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg] < > http://www.aciworldwide.com> This email message and any attachments > may contain confidential, proprietary or non-public information. The > information is intended solely for the designated recipient(s). If an > addressing or transmission error has misdirected this email, please > notify the sender immediately and destroy this email. Any review, > dissemination, use or reliance upon this information by unintended > recipients is prohibited. Any opinions expressed in this email are > those of the author personally. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ________________________________ [https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg] <http://www.aciworldwide.com> This email message and any attachments may contain confidential, proprietary or non-public information. The information is intended solely for the designated recipient(s). If an addressing or transmission error has misdirected this email, please notify the sender immediately and destroy this email. Any review, dissemination, use or reliance upon this information by unintended recipients is prohibited. Any opinions expressed in this email are those of the author personally. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
