Wanted to update everyone that responded to the resolution. So after installing the 2 new CA's and new Client certificates in RACF.
I normally use Firefox or Edge as my browsers and neither worked, but never used Chrome. I tried Chrome and Poof, got a secured HTTPS connection, That lead me down the mis-matched path/not found paths. I looked at Edge and found an old copy of the original certificate zosmfca was still there in a few places. I deleted all of them and poof my new certificates was used and https started working. Firefox, I didn’t find any old certificates, what I found was it didn’t automatically import my 2 CA certificates. So I had to manually import and then it then it started to work correctly. Thanks for everyone's ideas and help. Ms Terri E Shaffer Senior Systems Engineer, z/OS Support: ACIWorldwide – Telecommuter H(412-766-2697) C(412-519-2592) terri.shaf...@aciworldwide.com -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Carmen Vitullo Sent: Friday, August 13, 2021 9:09 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: z/OSMF Certificates External Email I am working with out security folks also, they are requiring TLS 1.2 only connections, there's a local override file you can add to force all connections to TSL1.2, but be careful, if you use the JES2EDS (email delivery system) you also need to force TLS 1.2 via a SSH daemon or adding the TLS 1.2 parm in CEEPRMxx for z/OS 2.3 and beyond /global/zosmf/configuration - add local_override.cfg IZU_SSL_PROTOCOL=TSL1.2 if you need to force TLS 1.2 via LE add ENVAR=("GSK_PROTOCOL_TLSV1_2=ON") I've tested with only the z/osmf local override file and this caused JES2EDS connections to fail. there may be some other options, this is the only option that seemed to satisfy my security folks and still allow everything to work / connect Carmen On 8/13/2021 7:59 AM, Shaffer, Terri w rote: > So I am no expert when it comes to certificates, So maybe someone can shed > some light for me. > > By default z/OSMF is configured with a CA or ZOSMFCA label. That doesn't > work or maybe seem to work for me. I can generate a client certificate from > it and download to me PC but will never establish an SSL TLS 1.2 connection. > I also done have admin rights, so even if I could it would only be for me, at > least I think. > > So my corporate network team, gave me a root and immediate CA and then > generated a client certificate for me. > > I imported them to RACF as trusted and built my z/OSMF key ring off those, > which seemed to work... > > However now I am getting > > [ERROR ] CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN > CN=xxx.xxx.xxx.xxx my IP > The signer might need to be added to local trust store > safkeyringhybrid://IZUSVR/IZUKeyring.IZUDFLT, located in SSL configuration > alias izuSSLConfig. > The extended error message from the SSL handshake exception is: PKIX path > building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to > find valid certification path to requested target. > > Which I guess makes sense because my network team gave me all the Certs. But > is there a way to resolve this so all users get a TLS 1.2 htps connection? > > Ms Terri E Shaffer > Senior Systems Engineer, > z/OS Support: > ACIWorldwide - Telecommuter > H(412-766-2697) C(412-519-2592) > terri.shaf...@aciworldwide.com > > ________________________________ > [https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg] > <http://www.aciworldwide.com> This email message and any attachments may > contain confidential, proprietary or non-public information. The information > is intended solely for the designated recipient(s). If an addressing or > transmission error has misdirected this email, please notify the sender > immediately and destroy this email. Any review, dissemination, use or > reliance upon this information by unintended recipients is prohibited. Any > opinions expressed in this email are those of the author personally. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- /I am not bound to win, but I am bound to be true. I am not bound to succeed, but I am bound to live by the light that I have. I must stand with anybody that stands right, and stand with him while he is right, and part with him when he goes wrong. *Abraham Lincoln*/ ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ________________________________ [https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg] <http://www.aciworldwide.com> This email message and any attachments may contain confidential, proprietary or non-public information. The information is intended solely for the designated recipient(s). If an addressing or transmission error has misdirected this email, please notify the sender immediately and destroy this email. Any review, dissemination, use or reliance upon this information by unintended recipients is prohibited. Any opinions expressed in this email are those of the author personally. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN