The problem was resolved by ensuring that ICSF comes up before TN3270. Once TN3270 comes up it never checks ICSF services again unless you recycle it.
-----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark Jacobs - Listserv Sent: Thursday, October 27, 2016 11:40 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Xposted from TCP/IP list SSL Problems, please help WAG, Does TCP/IP have read access to the private key in the PKDS? CSFKEYS resource. Mark Jacobs > Ward, Mike S <mailto:mw...@ssfcu.org> > October 27, 2016 at 12:33 PM > Hello list I have a small problem that I was hoping I could get some > help with. > > System is z/OS V1.13 running on a Z13s W01 soon to be V2.2, but not > yet and not soon enough. > > We are using system SSL/TLS not AT/TLS for FTP and TN3270. We have > Crypto express 5 cards with a CEX5C coprocessor. > > I wanted to take advantage of the crypto cards so I imported the > > RSA cerftificate we were using using the PCICC(*) option. This is > supposed to take the private key and place it in the PKDS which is > supposed to perform better than using software ssl encryption. > > To my dismay TN3270 will no longer support a SSL\TLS connection, > however Secure FTP has no problem. I ensured that nothing was changed > in the keyring and that the correct SITE certificate shows up there. I > also made sure that TN3270 and FTP are pointing to the same keyring. > > The RACF display of the keyring shows this: > > Digital ring information for user TCPIP: > > Ring: > >SharedRing< > Certificate Label Name Cert Owner USAGE DEFAULT > -------------------------------- ------------ -------- ------- XXXXX > Cert 2048 Authority CERTAUTH CERTAUTH NO > > TCPIPSharedSite SITE PERSONAL YES > > > The above is correct. > > The access from FTP is shown below: IP addresses and userid's changed > to protect the innocent. > > Oct 26 14:21:30 JESH01 ftpd[33555196]: EZYFS50I ID=FTPD100119 CONN > starts Client IPaddr=999.99.1.27 hostname=UNKNOWN Oct 26 14:21:30 > JESH01 ftps[33555196]: EZYFS54I ID=FTPD100119 SECURE OK > Mechanism=TLS-P Oct 26 14:21:30 JESH01 ftps[33555196]: EZYFS56I > ID=FTPD100119 ACCESS OK USERID=XXXXXX Oct 26 14:21:31 JESH01 > ftps[33555195]: EZYFS67I ID=FTPD100119 ALLOC OK Use HFS > filename=/u/log/2016/10/24/ftp.log > > We ran an SSL trace and this is what we get: > > Job,TN3270 Process 00000016 Thread 0000001C crypto_rsa_private_decrypt > Stored,private key support is not available , SSF1, MESSAGE 00000004 > 14:43:03.790222 SSL_ERROR , > Job,TN3270 Process 00000016 Thread 0000001C read_v3_client_key_exchang > Unable,to decrypt pre-master secret: Error 0x0335301a > > > The trace looks good until we get the Error 0x0335301a. > > 0335301A No private key. > Explanation: A private key request cannot be processed because the > database entry does not contain a private key. This error can occur if > the private key is stored in the Integrated Cryptographic Service > Facility > (ICSF) but the CSF started task is not running. > User response: Verify that the CSF started task is running if the > private key is stored in ICSF. Otherwise, repeat the failing request > using a database entry containing a private key. > > I'm at a loss ICSF is up and running, and the crypto cards are > supposed to have the PCICC coprocessors. > > Secure Tn3270 does not work, but secure FTP does. > > I'm at a loss any idea's welcome. > > Thanks > > ========================== > This email, and any files transmitted with it, is confidential and > intended solely for the use of the individual or entity to which it is > addressed. If you have received this email in error, please notify the > system manager. This message contains confidential information and is > intended only for the individual named. If you are not the named > addressee, you should not disseminate, distribute or copy this e-mail. > Please notify the sender immediately by e-mail if you have received > this message by mistake and delete this e-mail from your system. If > you are not the intended recipient, you are notified that disclosing, > copying, distributing or taking any action in reliance on the contents > of this information is strictly prohibited. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > Please be alert for any emails that may ask you for login information > or directs you to login via a link. If you believe this message is a > phish or aren't sure whether this message is trustworthy, please send > the original message as an attachment to 'phish...@timeinc.com'. > -- Mark Jacobs Time Customer Service Global Technology Services The standard you walk past is the standard you accept. Lt. Gen. David Morrison ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ========================== This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to which it is addressed. If you have received this email in error, please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this message by mistake and delete this e-mail from your system. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
