SAN is Subject Alternate Name in a digital certificate. In that case, I would try a different port such as 2443 or any other port not in use.
On Wed, Mar 27, 2024 at 4:46 PM Pommier, Rex <rpomm...@sfgmembers.com> wrote: > Hi Michael, > > I'm not following you on this one. SANs? In my vocabulary SAN is storage > and we don't run a SAN for our mainframe disk. Direct attach, 2 LPARs on > the same physical CEC, 1 DS8910F storage direct attached, and shared chpids > for both the disk and OSA. > > I did find this - which I didn't see yesterday that is probably my problem > but I can't see what I need to change to fix it: > > CWWKO0221E: TCP Channel defaultHttpEndpoint-ssl initialization did not > succeed. > The socket bind did not succeed for host * and port 443. The port > might already be in use. > Exception Message: EDC5111I Permission denied. (errno2=0x744C7246) > > I do a netstat on port 443 and get this: > > D TCPIP,TCPIP,NETSTAT,ALLCON,PORT=443 > EZZ2500I NETSTAT CS V2R4 TCPIP 496 > USER ID CONN LOCAL SOCKET FOREIGN SOCKET STATE > 0 OF 0 RECORDS DISPLAYED > END OF THE REPORT > > Over on the production LPAR I see that IZUSVR1 is bound to port 443. > > Within the z/OSMF active config file I see this on the non-working one: > IZU_APPSERVER_HOSTNAME=TSTJES2.MNLIFE.COM > IZU_JWKS_HOSTNAME=TSTJES2.MNLIFE.COM > IZU_HTTP_SSL_PORT=443 > IZU_HTTP_PORT=-1 > > TCPIP.DATA has my HOSTNAME TSTJES2 and both TSTJES2 and TSTJES2.MNLIFE.COM > both correctly resolve to the test LPAR IP address. > > Over on the working one I do the same netstat and see the bind: > > D TCPIP,TCPIP,NETSTAT,ALLCON,PORT=443 > EZZ2500I NETSTAT CS V2R4 TCPIP 600 > USER ID CONN LOCAL SOCKET FOREIGN SOCKET STATE > IZUSVR1 0004A344 172.16.128.14..443 10.53.240.151..34554 ESTBLSH > IZUSVR1 000492CB 0.0.0.0..443 0.0.0.0..0 LISTEN > 2 OF 2 RECORDS DISPLAYED > END OF THE REPORT > > In active config: > IZU_APPSERVER_HOSTNAME=MVSJES2.MNLIFE.COM > IZU_JWKS_HOSTNAME=MVSJES2.MNLIFE.COM > IZU_HTTP_SSL_PORT=443 > IZU_HTTP_PORT=-1 > > TCPIP.DATA on working one has HOSTNAME MVSJES2 and everything resolves > correctly. > > Thoughts/ideas? > > I'm chasing a couple other links people sent me. > > Rex > > -----Original Message----- > From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf > Of Michael Babcock > Sent: Tuesday, March 26, 2024 9:23 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: [EXTERNAL] Re: security fun with z/OSMF install - can't get there > > Also, if you cloned prod and changed the IP added and/or domain name, I > would check the certs. Do the certs match the SANs? > > On Tue, Mar 26, 2024 at 9:16 PM Michael Babcock <bigironp...@gmail.com> > wrote: > > > Does this help? > > > > > > https://urldefense.com/v3/__https://kinsta.com/knowledgebase/pr-end-of > > -file-error/*what-causes-the-pr_end_of_file_error__;Iw!!KjMRP1Ixj6eLE0 > > Fj!oaOvtuzKsu_CrFeLcgyUKF_gNSfdjsYOIW2qhL0UuZh7RZ70fpwMbhZmzveK6QkZRvM > > nI2nXVMundFuGm1tmuiOd81fQsKoWqjD1$ > > > > > > On Tue, Mar 26, 2024 at 6:28 PM Pommier, Rex <rpomm...@sfgmembers.com> > > wrote: > > > >> Hi List, > >> > >> We are attempting our first foray into getting z/OSMF up and running. > >> Scenario is we're backleveled maintenance-wise on our 2.4 system. We > >> ran the security configuration setup etc and got z/OSMF up and > >> running on the production LPAR we are planning on running it from. > >> However when we started to load z/OS 3.1 we ran into a problem with > >> missing PTFs. Got one set of PTFs installed and after adding a > >> local_override.cfg file into the configuration directory we got > >> z/OSMF up and running again and past that hurdle. We hit the next > >> one requiring a dozen more PTFs to bypass it. We decided to move the > >> install to our sandbox just to get z/OSMF working to the point we can > >> use it to get our 3.1 software install back on track. I ran > >> disk-level flashcopy copies of my entire production LPAR to the > >> sandbox, made the required changes (IP addresses etc) to get the > >> sandbox up and running. Started z/OSMF and it comes up with no > >> errors or warnings (except the one telling me I'm using the local > override file). However, when I try to get to the web server I get a > "secure connection failure" > >> with " PR_END_OF_FILE_ERROR" trying to connect with Firefox and " > >> 172.16.128.108 unexpectedly closed the connection" using Chrome. > >> Security > >> (RACF) is identical to what it is on the production LPAR. z/OSMF > >> config is identical as well. Does anybody have any idea what I'm > missing? > >> > >> TIA, > >> > >> Rex > >> > >> --------------------------------------------------------------------- > >> - The information contained in this message is confidential, > >> protected from disclosure and may be legally privileged. If the > >> reader of this message is not the intended recipient or an employee > >> or agent responsible for delivering this message to the intended > >> recipient, you are hereby notified that any disclosure, distribution, > >> copying, or any action taken or action omitted in reliance on it, is > >> strictly prohibited and may be unlawful. If you have received this > >> communication in error, please notify us immediately by replying to > >> this message and destroy the material in its entirety, whether in > >> electronic or hard copy format. Thank you. > >> > >> > >> --------------------------------------------------------------------- > >> - For IBM-MAIN subscribe / signoff / archive access instructions, > >> send email to lists...@listserv.ua.edu with the message: INFO > >> IBM-MAIN > >> > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > The information contained in this message is confidential, protected from > disclosure and may be legally privileged. If the reader of this message is > not the intended recipient or an employee or agent responsible for > delivering this message to the intended recipient, you are hereby notified > that any disclosure, distribution, copying, or any action taken or action > omitted in reliance on it, is strictly prohibited and may be unlawful. If > you have received this communication in error, please notify us immediately > by replying to this message and destroy the material in its entirety, > whether in electronic or hard copy format. Thank you. > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
