I have used SSLSERV to transparently protect HTTP, FTP and POP servers. T he applications in each of those servers know nothing about the protection t hat surrounds them. All were using the same certificate as the TN3270 service . I think I could have generated separate certificate requests and certificat es for each service if my bosses had wanted to pay for them. In the TCPIP PROFILE, I just added the 'SECURE certname' to each port definition in th w same manner as adding to INTCLIENT for TN3270 support. A query from an OpenSSL command on a linux/x86 system to each of the protected ports retu rns the same certificate. /Tom Kern /U.S. Department of Energy /301-903-2211
On Thu, 13 Sep 2007 14:57:52 -0500, Alan Ackerman <[EMAIL PROTECTED]> wrote: >Is there any way to share server certificates between SSLSERV and other >applications on the same VM system? (In my case the other application is >Illustro z/Web Server for VM.) Do I have to order a separate certificate >for each? (Costs $$$.) > >Essentially, a certificate just certifies a particular domain, so why >should I need two of them? > >I could use the SSLSERV to provide SSL services to the z/Web server, but >since the SSLSERV encryption is transparent to the application, there do es >not appear to be any way for an application (CGI) running on the web >server to obtain information on the client certificate, or even to know >whether the interaction is encrypted (HTTPS) instead of not (HTTP). Does >SSLSERV even support client certificates? Does it support HTTPS instead of >HTTP? > >Given this, I think I have to keep using the SSL support in z/Web server . > >If I understand this correctly, to get certificate(s) for SSLSERV, I hav e >to do this: > >1. Create 'label X509INFO' file. >2. Create the certificate request: > > ssladmin request label keysize fm > >3. Send the certificate request to the CA. >4. Receive server certificate and CA certificates from CA. >5. Receive the certificate into CMS file(s) with a file type of X509CERT . >6. Store any separate CA certificates in the certificates in the > certificate database: > > ssladmin store fn ca label > >7. Store the server certificate: > > ssladmin store fn server > >I believe the 'request' command stores a 'request' item in the database, >and then the 'store fn server' commands associates the server certificat e >item with the request item. > >It's this 'association' that is the problem. Is there any way to install >a 'request' item from somewhere else into the SSLSERV database? > >z/Web server has an identical process, except that it uses a web page >instead of commands. (The underlying commands do exist, though.) > >Alan Ackerman >Alan (dot) Ackerman (at) Bank of America (dot) com
