CICS is the client, ZCEE is the server. I got a new CICS SITE certificate that includes clientAuth and serverAuth. I’ve gotten further but run into another issue. I’ve opened a case with IBM. Thanks for the assistance.
On Mon, Feb 28, 2022 at 5:21 PM Charles Mills <charl...@mcn.org> wrote: > Trying to follow this. > > Who connects to who? (I'm not knowledgeable about ZCEE.) Is ZCEE the > client (initiator of the connection) and CICS the server? If so, then CICS > needs a *server* certificate and the lack of clientAuth is not the problem > -- not with that certificate anyway. > > If CICS is configured for client certificate authentication -- that's > always a *server* option, not a configuration option at the client end -- > then ZCEE has to present a certificate that proves its identity, and CICS > would need access to a local trusted chain that signs that certificate. > THAT certificate would need or potentially need clientAuth. And presumably > CICS would check that identity against some list of permitted clients. > > > IF the app recognizes the extension AND the flag > > is FALSE, is it REQUIRED to honor restrictions > > Well, for your purposes, it doesn't really matter what it is required to > do, does it? Certainly it is at least permitted to do so -- otherwise what > the heck would be the purpose or function of the extension? And at least > apparently from your description, that is what it is doing. (And FWIW, I > *think* yes, it is required to honor an extension that it understands, even > if not critical.) > > Although I *suspect* perhaps there is some sort of confusion here over > what certificate is in error, and in what way. > > As I tried to say earlier, the function of "critical" is to say "if you do > NOT understand this extension then you are required to reject the > certificate." > > Charles > > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Michael Babcock > Sent: Monday, February 28, 2022 11:32 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Certificates ,extKeyUsage and Criticality flag > > I know which cert has the problem. It's the CICS SITE certificate which > has serverAuth only in the extKeyUsage extension. > > What I'm trying to understand is IF the criticality flag is false AND > the app recognizes the extension is it REQUIRED to honor the > restrictions of said extension (if indeed there are restrictions). > > From what I've read, IF the app DOES NOT recognize the extension and IF > the flag is TRUE, then the app MUST reject the cert. Further, IF the > app DOES NOT recognize the extension AND the flag is FALSE, then the app > can IGNORE the extension. However, I cannot determine (or comprehend > what I'm reading) that IF the app recognizes the extension AND the flag > is FALSE, is it REQUIRED to honor restrictions (or is it simply up to > the app to make a decision - honor or not). > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- Michael Babcock OneMain Financial z/OS Systems Programmer, Lead ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
