Display the certificate in the browser for example with chrome use chrome://settings/certificates with firefox use view certificates in settings
On Fri, 13 Aug 2021 at 14:13, Shaffer, Terri < 0000017d5f778222-dmarc-requ...@listserv.ua.edu> wrote: > I thought that also, but I am using the DNS name in my web browser. > > But they also my certificate with alias's. > > Subject Alt Names > DNS Name MFZ900ACWA.AM.TSACORP.COM > DNS Name MFZ900ACWA > IP Address 10.5.23.232 > > Ms Terri E Shaffer > Senior Systems Engineer, > z/OS Support: > ACIWorldwide – Telecommuter > H(412-766-2697) C(412-519-2592) > terri.shaf...@aciworldwide.com > > -----Original Message----- > From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf > Of Joe Monk > Sent: Friday, August 13, 2021 9:04 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: z/OSMF Certificates > > External Email > > > This is being caused because you are trying to access something by IP, but > the certificate was issued to your DNS name. > > Try using the DNS name, and the problem will go away. > > Joe > > On Fri, Aug 13, 2021 at 7:59 AM Shaffer, Terri < > 0000017d5f778222-dmarc-requ...@listserv.ua.edu> wrote: > > > So I am no expert when it comes to certificates, So maybe someone can > > shed some light for me. > > > > By default z/OSMF is configured with a CA or ZOSMFCA label. That > > doesn't work or maybe seem to work for me. I can generate a client > > certificate from it and download to me PC but will never establish an > > SSL TLS 1.2 connection. I also done have admin rights, so even if I > > could it would only be for me, at least I think. > > > > So my corporate network team, gave me a root and immediate CA and then > > generated a client certificate for me. > > > > I imported them to RACF as trusted and built my z/OSMF key ring off > > those, which seemed to work... > > > > However now I am getting > > > > [ERROR ] CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN > > CN=xxx.xxx.xxx.xxx my IP > > The signer might need to be added to local trust store > > safkeyringhybrid://IZUSVR/IZUKeyring.IZUDFLT, located in SSL > > configuration alias izuSSLConfig. > > The extended error message from the SSL handshake exception is: PKIX > > path building failed: > > com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid > certification path to requested target. > > > > Which I guess makes sense because my network team gave me all the Certs. > > But is there a way to resolve this so all users get a TLS 1.2 htps > > connection? > > > > Ms Terri E Shaffer > > Senior Systems Engineer, > > z/OS Support: > > ACIWorldwide - Telecommuter > > H(412-766-2697) C(412-519-2592) > > terri.shaf...@aciworldwide.com > > > > ________________________________ > > [https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg] < > > http://www.aciworldwide.com> This email message and any attachments > > may contain confidential, proprietary or non-public information. The > > information is intended solely for the designated recipient(s). If an > > addressing or transmission error has misdirected this email, please > > notify the sender immediately and destroy this email. Any review, > > dissemination, use or reliance upon this information by unintended > > recipients is prohibited. Any opinions expressed in this email are > > those of the author personally. > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, send > > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ________________________________ > [https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg] < > http://www.aciworldwide.com> > This email message and any attachments may contain confidential, > proprietary or non-public information. The information is intended solely > for the designated recipient(s). If an addressing or transmission error has > misdirected this email, please notify the sender immediately and destroy > this email. Any review, dissemination, use or reliance upon this > information by unintended recipients is prohibited. Any opinions expressed > in this email are those of the author personally. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN