On 8/29/23 6:39 PM, Tom Brennan wrote:
It's those last couple of steps that I assume would need to be done
manually on an HMC via GUI.
I have no idea if IBM offers a supported solution or not.
I would waver that there are some unsupported solutions that IBM would
wag a finger at you for doing. But who's going to do that on a piece of
equipment supporting a mainframe?
The three things that come to mind in the order of most benign to most
radical are:
- Script interactions across the HTTP(S) ports pretending to be a user
walking through the motions with the necessary GET / POST / etc. method
calls.
- Enable -- what I assume is unsupported SSH access to an HMC and
remotely run commands to manage certificates.
- Really throw caution to the wind and install an ACME client on the
HMC and get it some sort of Internet connectivity (likely via proxy).
The first is probably the only thing that IBM would say doesn't
invalidate support / warranty.
Or maybe IBM has addressed this and provides an API or similar?
I hope so. But I'm not holding my breath.
I never asked, possibly because every HMC I've ever touched, whether
mainframe or peripheral, came up with a self-signed key warning.
Ya.... Pardon while I go over into a corner and cry.
But in their defense, most are only accessible in the datacenter or
behind a difficult-to-access jump box.
I've had the broken TLS cert cause problems, particularly when Java gets
involved.
I've found it far better to make the client system be as happy with the
cert as possible usually yields the best / most long term results.
--
Grant. . . .
unix || die
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
