subject:"Importing x.509 Certs in to RACF"

Re: Importing x.509 Certs in to RACF

2023-05-08 Thread Matt Hogstrom

For the my.p12 files I sftp them to USS.

Pre-allocate a VB file and then use USS command cp my.p12 
“//‘IBMUSER.MYCERT.P12'”

For ascii I just scp them and tag appropriately.

Matt Hogstrom
m...@hogstrom.org
+1-919-656-0564
PGP Key: 0x90ECB270
Facebook   LinkedIn 
  Twitter 

“It may be cognitive, but, it ain’t intuitive."
— Hogstrom



> On May 8, 2023, at 7:32 AM, Allan Staller 
> <0387911dea17-dmarc-requ...@listserv.ua.edu> wrote:
> 
> TSO OGET/OPUT work just fine.
> 
>> And how are you copying it from USS to an MVS dataset?
> 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Importing x.509 Certs in to RACF

2023-05-08 Thread Allan Staller

Classification: Confidential


TSO OGET/OPUT work just fine.

>And how are you copying it from USS to an MVS dataset?

::DISCLAIMER::

The contents of this e-mail and any attachment(s) are confidential and intended 
for the named recipient(s) only. E-mail transmission is not guaranteed to be 
secure or error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or may contain viruses in transmission. 
The e mail and its contents (with or without referred errors) shall therefore 
not attach any liability on the originator or HCL or its affiliates. Views or 
opinions, if any, presented in this email are solely those of the author and 
may not necessarily reflect the views or opinions of HCL or its affiliates. Any 
form of reproduction, dissemination, copying, disclosure, modification, 
distribution and / or publication of this message without the prior written 
consent of authorized representative of HCL is strictly prohibited. If you have 
received this email in error please delete it and notify the sender 
immediately. Before opening any email and/or attachments, please check them for 
viruses and other defects.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Importing x.509 Certs in to RACF

2023-05-06 Thread Matt Hogstrom

Wow, quotes.  Prefix is turned off on the profile and I would have expected a 
“Dataset Not Found” error.  Other utilities have not required quotes.   Thanks 
for stating the obvious as it was correct.

Matt Hogstrom
m...@hogstrom.org
+1-919-656-0564
PGP Key: 0x90ECB270
Facebook   LinkedIn 
  Twitter 

“It may be cognitive, but, it ain’t intuitive."
— Hogstrom



> On May 4, 2023, at 11:51 PM, Peter Vels  wrote:
> 
> You have:
> RACDCERT ADD(IBMUSER.CERT.DIGICERT)   CERTAUTHTRUST
> WITHLABEL('DigiCertCA’)
> 
> Try adding apostrophes to the data set name:
> RACDCERT ADD('IBMUSER.CERT.DIGICERT')   CERTAUTHTRUST
> WITHLABEL('DigiCertCA’)
> 
> On Fri, 5 May 2023 at 13:07, Matt Hogstrom  > wrote:
> 
>> I had VB 240 but I’ll rein it in an see what we get.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Importing x.509 Certs in to RACF

2023-05-05 Thread Michael Babcock

And how are you copying it from USS to an MVS dataset?

On Fri, May 5, 2023 at 4:34 AM Michael Babcock 
wrote:

> Before trying to add it to RACF use the RACDCERT CHECKCERT command.   Off
> the top of my head, I think it’s RACDCERT CHECKCERT(‘dataset-name’).   I
> always use that before adding a cert to RACF.And if there is a password
> on the cert add PASSWORD(‘password’) to the command.  Mind the quotes on
> both parms.
>
> On Thu, May 4, 2023 at 10:26 PM Matt Hogstrom  wrote:
>
>> I’m at 240 VB but I’ll try pulling it in …
>>
>> I was hoping to find a roadmap that would help out.   Seems like there
>> are a number of variables in terms of how certs are delivered, how they get
>> uploaded, what encodings are used, etc.  At the end of the day I’d like to
>> get this documented to save the next guy a pile of work.
>>
>>
>> Matt Hogstrom
>> > On May 4, 2023, at 10:52 PM, Peter Vels  wrote:
>> >
>> > It could be that your data set attributes aren't quite right. Try
>> something
>> > like LRECL=84, RECFM=VB.
>> >
>> > On Fri, 5 May 2023 at 11:49, Matt Hogstrom  wrote:
>> >
>> >> I’m attempting to import an x.509 cert for TLS.  The certificate is
>> valid
>> >> and originates on a distributed system.  I have the cert and the
>> private
>> >> key.  I’m trying to import the cert into RACF.  I’ve tried creating a
>> pfx
>> >> file (pkcs12) as well as importing the text based certs individually.
>> Each
>> >> time I try I end up with an error.  The below was my attempt to import
>> the
>> >> DigiCertCA against which my certificate was created.  I admit this is
>> not
>> >> my area of speciality so I suspect I’m doing something stupid.  Here
>> is the
>> >> ADD command.
>> >>
>> >> RACDCERT ADD(IBMUSER.CERT.DIGICERT)   CERTAUTHTRUST
>> >> WITHLABEL('DigiCertCA’)
>> >>
>> >> IRRD103I An error was encountered processing the specified input data
>> >> set.
>> >>
>> >> The certificate is in ISO8859-1 on my Mac and I transfer it to USS as
>> >> binary and tag is as ISO8859-1.
>> >>
>> >> Anyone have a workflow for adding a TLS cert ?   The IBM documentation
>> is
>> >> accurate I’m sure  but not helpful.
>> >>
>> >>
>> >> Matt Hogstrom
>> >>
>> >> “It may be cognitive, but, it ain’t intuitive."
>> >> — Hogstrom
>> >>
>> >>
>> >> --
>> >> For IBM-MAIN subscribe / signoff / archive access instructions,
>> >> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> >>
>> >
>> > --
>> > For IBM-MAIN subscribe / signoff / archive access instructions,
>> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>>
>>
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>>
> --
> Michael Babcock
> OneMain Financial
> z/OS Systems Programmer, Lead
>
-- 
Michael Babcock
OneMain Financial
z/OS Systems Programmer, Lead

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Importing x.509 Certs in to RACF

2023-05-05 Thread Allan Staller

Classification: Confidential

Try:

https://coztoolkit.com/docs/sftp/ssh_keys_part1_2012-06-12.pdf
and
https://coztoolkit.com/docs/sftp/ssh_keys_part2_2012-06-19.pdf

for some good background.

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Matt Hogstrom
Sent: Thursday, May 4, 2023 10:07 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Importing x.509 Certs in to RACF

[CAUTION: This Email is from outside the Organization. Unless you trust the 
sender, Don't click links or open attachments as it may be a Phishing email, 
which can steal your Information and compromise your Computer.]

I had VB 240 but I'll rein it in an see what we get.

Oddly, I was hoping to find a roadmap that would help out.   Seems like there 
are a number of variables in terms of how certs are delivered, how they get 
uploaded, what encodings are used, etc.  At the end of the day I'd like to get 
this documented to save the next guy a pile of work.

Matt Hogstrom
m...@hogstrom.org
+1-919-656-0564
PGP Key: 0x90ECB270
Facebook <https://facebook.com/matt.hogstrom>  LinkedIn 
<https://linkedin/in/mhogstrom>  Twitter <https://twitter.com/hogstrom>

"It may be cognitive, but, it ain't intuitive."
- Hogstrom

> On May 4, 2023, at 10:52 PM, Peter Vels  wrote:
>
> It could be that your data set attributes aren't quite right. Try
> something like LRECL=84, RECFM=VB.

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
::DISCLAIMER::

The contents of this e-mail and any attachment(s) are confidential and intended 
for the named recipient(s) only. E-mail transmission is not guaranteed to be 
secure or error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or may contain viruses in transmission. 
The e mail and its contents (with or without referred errors) shall therefore 
not attach any liability on the originator or HCL or its affiliates. Views or 
opinions, if any, presented in this email are solely those of the author and 
may not necessarily reflect the views or opinions of HCL or its affiliates. Any 
form of reproduction, dissemination, copying, disclosure, modification, 
distribution and / or publication of this message without the prior written 
consent of authorized representative of HCL is strictly prohibited. If you have 
received this email in error please delete it and notify the sender 
immediately. Before opening any email and/or attachments, please check them for 
viruses and other defects.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Importing x.509 Certs in to RACF

2023-05-05 Thread Allan Staller

Classification: Confidential

SSL keys (contained in the cert) are text strings. Text transfer should fix the 
problem.

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Matt Hogstrom
Sent: Thursday, May 4, 2023 8:48 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Importing x.509 Certs in to RACF

[CAUTION: This Email is from outside the Organization. Unless you trust the 
sender, Don’t click links or open attachments as it may be a Phishing email, 
which can steal your Information and compromise your Computer.]

I’m attempting to import an x.509 cert for TLS.  The certificate is valid and 
originates on a distributed system.  I have the cert and the private key.  I’m 
trying to import the cert into RACF.  I’ve tried creating a pfx file (pkcs12) 
as well as importing the text based certs individually.  Each time I try I end 
up with an error.  The below was my attempt to import the DigiCertCA against 
which my certificate was created.  I admit this is not my area of speciality so 
I suspect I’m doing something stupid.  Here is the ADD command.

RACDCERT ADD(IBMUSER.CERT.DIGICERT)   CERTAUTHTRUST
WITHLABEL('DigiCertCA’)

IRRD103I An error was encountered processing the specified input data set.

The certificate is in ISO8859-1 on my Mac and I transfer it to USS as binary 
and tag is as ISO8859-1.

Anyone have a workflow for adding a TLS cert ?   The IBM documentation is 
accurate I’m sure  but not helpful.

Matt Hogstrom

“It may be cognitive, but, it ain’t intuitive."
— Hogstrom

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
::DISCLAIMER::

The contents of this e-mail and any attachment(s) are confidential and intended 
for the named recipient(s) only. E-mail transmission is not guaranteed to be 
secure or error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or may contain viruses in transmission. 
The e mail and its contents (with or without referred errors) shall therefore 
not attach any liability on the originator or HCL or its affiliates. Views or 
opinions, if any, presented in this email are solely those of the author and 
may not necessarily reflect the views or opinions of HCL or its affiliates. Any 
form of reproduction, dissemination, copying, disclosure, modification, 
distribution and / or publication of this message without the prior written 
consent of authorized representative of HCL is strictly prohibited. If you have 
received this email in error please delete it and notify the sender 
immediately. Before opening any email and/or attachments, please check them for 
viruses and other defects.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Importing x.509 Certs in to RACF

2023-05-05 Thread Keith Gooding

Matt.

As far as I know RACF cannot import from a z/os unix file. It has to be VB. I 
think there is an RFE/Idea requesting unix file support.

Also you said that the source file is ISO 8859-1 which suggests to me that is 
base-64 encoded. If so you will see “—— BEGIN” near the start and a similar 
END. In that case you must transfer in text mode rather than binary. The 
alternative format supported by RACF is DER - that has to be transferred in 
binary. RACF recognises the format - you do not need to tell it if it is DER or 
BASE64.

I also understand that if the package contains a personal certificate and its 
chain of CA certificates RACF will
Only import the first of the CA certificates.

Personally I use the RACF panels for one-off functions  like this - I seem to 
get more useful error messages.

Keith

> On 5 May 2023, at 10:34, Michael Babcock  wrote:
> 
> Before trying to add it to RACF use the RACDCERT CHECKCERT command.   Off
> the top of my head, I think it’s RACDCERT CHECKCERT(‘dataset-name’).   I
> always use that before adding a cert to RACF.And if there is a password
> on the cert add PASSWORD(‘password’) to the command.  Mind the quotes on
> both parms.
> 
>> On Thu, May 4, 2023 at 10:26 PM Matt Hogstrom  wrote:
>> 
>> I’m at 240 VB but I’ll try pulling it in …
>> 
>> I was hoping to find a roadmap that would help out.   Seems like there are
>> a number of variables in terms of how certs are delivered, how they get
>> uploaded, what encodings are used, etc.  At the end of the day I’d like to
>> get this documented to save the next guy a pile of work.
>> 
>> 
>> Matt Hogstrom
 On May 4, 2023, at 10:52 PM, Peter Vels  wrote:
>>> 
>>> It could be that your data set attributes aren't quite right. Try
>> something
>>> like LRECL=84, RECFM=VB.
>>> 
 On Fri, 5 May 2023 at 11:49, Matt Hogstrom  wrote:
>>> 
 I’m attempting to import an x.509 cert for TLS.  The certificate is
>> valid
 and originates on a distributed system.  I have the cert and the private
 key.  I’m trying to import the cert into RACF.  I’ve tried creating a
>> pfx
 file (pkcs12) as well as importing the text based certs individually.
>> Each
 time I try I end up with an error.  The below was my attempt to import
>> the
 DigiCertCA against which my certificate was created.  I admit this is
>> not
 my area of speciality so I suspect I’m doing something stupid.  Here is
>> the
 ADD command.
 
 RACDCERT ADD(IBMUSER.CERT.DIGICERT)   CERTAUTHTRUST
 WITHLABEL('DigiCertCA’)
 
 IRRD103I An error was encountered processing the specified input data
 set.
 
 The certificate is in ISO8859-1 on my Mac and I transfer it to USS as
 binary and tag is as ISO8859-1.
 
 Anyone have a workflow for adding a TLS cert ?   The IBM documentation
>> is
 accurate I’m sure  but not helpful.
 
 
 Matt Hogstrom
 
 “It may be cognitive, but, it ain’t intuitive."
 — Hogstrom
 
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
 
>>> 
>>> --
>>> For IBM-MAIN subscribe / signoff / archive access instructions,
>>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> 
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> 
> -- 
> Michael Babcock
> OneMain Financial
> z/OS Systems Programmer, Lead
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Importing x.509 Certs in to RACF

2023-05-05 Thread Michael Babcock

Before trying to add it to RACF use the RACDCERT CHECKCERT command.   Off
the top of my head, I think it’s RACDCERT CHECKCERT(‘dataset-name’).   I
always use that before adding a cert to RACF.And if there is a password
on the cert add PASSWORD(‘password’) to the command.  Mind the quotes on
both parms.

On Thu, May 4, 2023 at 10:26 PM Matt Hogstrom  wrote:

> I’m at 240 VB but I’ll try pulling it in …
>
> I was hoping to find a roadmap that would help out.   Seems like there are
> a number of variables in terms of how certs are delivered, how they get
> uploaded, what encodings are used, etc.  At the end of the day I’d like to
> get this documented to save the next guy a pile of work.
>
>
> Matt Hogstrom
> > On May 4, 2023, at 10:52 PM, Peter Vels  wrote:
> >
> > It could be that your data set attributes aren't quite right. Try
> something
> > like LRECL=84, RECFM=VB.
> >
> > On Fri, 5 May 2023 at 11:49, Matt Hogstrom  wrote:
> >
> >> I’m attempting to import an x.509 cert for TLS.  The certificate is
> valid
> >> and originates on a distributed system.  I have the cert and the private
> >> key.  I’m trying to import the cert into RACF.  I’ve tried creating a
> pfx
> >> file (pkcs12) as well as importing the text based certs individually.
> Each
> >> time I try I end up with an error.  The below was my attempt to import
> the
> >> DigiCertCA against which my certificate was created.  I admit this is
> not
> >> my area of speciality so I suspect I’m doing something stupid.  Here is
> the
> >> ADD command.
> >>
> >> RACDCERT ADD(IBMUSER.CERT.DIGICERT)   CERTAUTHTRUST
> >> WITHLABEL('DigiCertCA’)
> >>
> >> IRRD103I An error was encountered processing the specified input data
> >> set.
> >>
> >> The certificate is in ISO8859-1 on my Mac and I transfer it to USS as
> >> binary and tag is as ISO8859-1.
> >>
> >> Anyone have a workflow for adding a TLS cert ?   The IBM documentation
> is
> >> accurate I’m sure  but not helpful.
> >>
> >>
> >> Matt Hogstrom
> >>
> >> “It may be cognitive, but, it ain’t intuitive."
> >> — Hogstrom
> >>
> >>
> >> --
> >> For IBM-MAIN subscribe / signoff / archive access instructions,
> >> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >>
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
-- 
Michael Babcock
OneMain Financial
z/OS Systems Programmer, Lead

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Importing x.509 Certs in to RACF

2023-05-05 Thread Colin Paice

Matt,
I had a similar problem.   Make sure you do not have the file open anywhere
else .. I think RACF takes an exclusive lock on it

I had a problem with the v3 version of openssl - the format of the binary
file was changed, and I think RACF did not support it.  Try shipping it as
a .pem file.
For example colin.cert..pesm starts with
 -BEGIN CERTIFICATE-
 MIIDYzCCAkugAwIBAgIBVDANBgkqhkiG9w0BAQsFADBFMQ0wCwYDVQQKEwRURU1Q


Colin


On Fri, 5 May 2023 at 02:49, Matt Hogstrom  wrote:

> I’m attempting to import an x.509 cert for TLS.  The certificate is valid
> and originates on a distributed system.  I have the cert and the private
> key.  I’m trying to import the cert into RACF.  I’ve tried creating a pfx
> file (pkcs12) as well as importing the text based certs individually.  Each
> time I try I end up with an error.  The below was my attempt to import the
> DigiCertCA against which my certificate was created.  I admit this is not
> my area of speciality so I suspect I’m doing something stupid.  Here is the
> ADD command.
>
> RACDCERT ADD(IBMUSER.CERT.DIGICERT)   CERTAUTHTRUST
> WITHLABEL('DigiCertCA’)
>
> IRRD103I An error was encountered processing the specified input data
> set.
>
> The certificate is in ISO8859-1 on my Mac and I transfer it to USS as
> binary and tag is as ISO8859-1.
>
> Anyone have a workflow for adding a TLS cert ?   The IBM documentation is
> accurate I’m sure  but not helpful.
>
>
> Matt Hogstrom
>
> “It may be cognitive, but, it ain’t intuitive."
> — Hogstrom
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Importing x.509 Certs in to RACF

2023-05-04 Thread Peter Vels

You have:
RACDCERT ADD(IBMUSER.CERT.DIGICERT)   CERTAUTHTRUST
WITHLABEL('DigiCertCA’)

Try adding apostrophes to the data set name:
RACDCERT ADD('IBMUSER.CERT.DIGICERT')   CERTAUTHTRUST
WITHLABEL('DigiCertCA’)

On Fri, 5 May 2023 at 13:07, Matt Hogstrom  wrote:

> I had VB 240 but I’ll rein it in an see what we get.
>
> Oddly, I was hoping to find a roadmap that would help out.   Seems like
> there are a number of variables in terms of how certs are delivered, how
> they get uploaded, what encodings are used, etc.  At the end of the day I’d
> like to get this documented to save the next guy a pile of work.
>
> Matt Hogstrom
> m...@hogstrom.org
> +1-919-656-0564
> PGP Key: 0x90ECB270
> Facebook   LinkedIn <
> https://linkedin/in/mhogstrom>  Twitter 
>
> “It may be cognitive, but, it ain’t intuitive."
> — Hogstrom
>
>
>
> > On May 4, 2023, at 10:52 PM, Peter Vels  wrote:
> >
> > It could be that your data set attributes aren't quite right. Try
> something
> > like LRECL=84, RECFM=VB.
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Importing x.509 Certs in to RACF

2023-05-04 Thread Matt Hogstrom

I’m at 240 VB but I’ll try pulling it in … 

I was hoping to find a roadmap that would help out.   Seems like there are a 
number of variables in terms of how certs are delivered, how they get uploaded, 
what encodings are used, etc.  At the end of the day I’d like to get this 
documented to save the next guy a pile of work.


Matt Hogstrom
> On May 4, 2023, at 10:52 PM, Peter Vels  wrote:
> 
> It could be that your data set attributes aren't quite right. Try something
> like LRECL=84, RECFM=VB.
> 
> On Fri, 5 May 2023 at 11:49, Matt Hogstrom  wrote:
> 
>> I’m attempting to import an x.509 cert for TLS.  The certificate is valid
>> and originates on a distributed system.  I have the cert and the private
>> key.  I’m trying to import the cert into RACF.  I’ve tried creating a pfx
>> file (pkcs12) as well as importing the text based certs individually.  Each
>> time I try I end up with an error.  The below was my attempt to import the
>> DigiCertCA against which my certificate was created.  I admit this is not
>> my area of speciality so I suspect I’m doing something stupid.  Here is the
>> ADD command.
>> 
>> RACDCERT ADD(IBMUSER.CERT.DIGICERT)   CERTAUTHTRUST
>> WITHLABEL('DigiCertCA’)
>> 
>> IRRD103I An error was encountered processing the specified input data
>> set.
>> 
>> The certificate is in ISO8859-1 on my Mac and I transfer it to USS as
>> binary and tag is as ISO8859-1.
>> 
>> Anyone have a workflow for adding a TLS cert ?   The IBM documentation is
>> accurate I’m sure  but not helpful.
>> 
>> 
>> Matt Hogstrom
>> 
>> “It may be cognitive, but, it ain’t intuitive."
>> — Hogstrom
>> 
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Importing x.509 Certs in to RACF

2023-05-04 Thread Matt Hogstrom

I had VB 240 but I’ll rein it in an see what we get. 

Oddly, I was hoping to find a roadmap that would help out.   Seems like there 
are a number of variables in terms of how certs are delivered, how they get 
uploaded, what encodings are used, etc.  At the end of the day I’d like to get 
this documented to save the next guy a pile of work.

Matt Hogstrom
m...@hogstrom.org
+1-919-656-0564
PGP Key: 0x90ECB270
Facebook   LinkedIn 
  Twitter 

“It may be cognitive, but, it ain’t intuitive."
— Hogstrom

> On May 4, 2023, at 10:52 PM, Peter Vels  wrote:
> 
> It could be that your data set attributes aren't quite right. Try something
> like LRECL=84, RECFM=VB.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Importing x.509 Certs in to RACF

2023-05-04 Thread Peter Vels

It could be that your data set attributes aren't quite right. Try something
like LRECL=84, RECFM=VB.

On Fri, 5 May 2023 at 11:49, Matt Hogstrom  wrote:

> I’m attempting to import an x.509 cert for TLS.  The certificate is valid
> and originates on a distributed system.  I have the cert and the private
> key.  I’m trying to import the cert into RACF.  I’ve tried creating a pfx
> file (pkcs12) as well as importing the text based certs individually.  Each
> time I try I end up with an error.  The below was my attempt to import the
> DigiCertCA against which my certificate was created.  I admit this is not
> my area of speciality so I suspect I’m doing something stupid.  Here is the
> ADD command.
>
> RACDCERT ADD(IBMUSER.CERT.DIGICERT)   CERTAUTHTRUST
> WITHLABEL('DigiCertCA’)
>
> IRRD103I An error was encountered processing the specified input data
> set.
>
> The certificate is in ISO8859-1 on my Mac and I transfer it to USS as
> binary and tag is as ISO8859-1.
>
> Anyone have a workflow for adding a TLS cert ?   The IBM documentation is
> accurate I’m sure  but not helpful.
>
>
> Matt Hogstrom
>
> “It may be cognitive, but, it ain’t intuitive."
> — Hogstrom
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Importing x.509 Certs in to RACF

2023-05-04 Thread Matt Hogstrom

I’m attempting to import an x.509 cert for TLS.  The certificate is valid and 
originates on a distributed system.  I have the cert and the private key.  I’m 
trying to import the cert into RACF.  I’ve tried creating a pfx file (pkcs12) 
as well as importing the text based certs individually.  Each time I try I end 
up with an error.  The below was my attempt to import the DigiCertCA against 
which my certificate was created.  I admit this is not my area of speciality so 
I suspect I’m doing something stupid.  Here is the ADD command.

RACDCERT ADD(IBMUSER.CERT.DIGICERT)   CERTAUTHTRUST
WITHLABEL('DigiCertCA’) 

IRRD103I An error was encountered processing the specified input data set.  
   

The certificate is in ISO8859-1 on my Mac and I transfer it to USS as binary 
and tag is as ISO8859-1.

Anyone have a workflow for adding a TLS cert ?   The IBM documentation is 
accurate I’m sure  but not helpful.  


Matt Hogstrom

“It may be cognitive, but, it ain’t intuitive."
— Hogstrom


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Importing x.509 Certs in to RACF

Re: Importing x.509 Certs in to RACF

Re: Importing x.509 Certs in to RACF

Re: Importing x.509 Certs in to RACF

Re: Importing x.509 Certs in to RACF

Re: Importing x.509 Certs in to RACF

Re: Importing x.509 Certs in to RACF

Re: Importing x.509 Certs in to RACF

Re: Importing x.509 Certs in to RACF

Re: Importing x.509 Certs in to RACF

Re: Importing x.509 Certs in to RACF

Re: Importing x.509 Certs in to RACF

Re: Importing x.509 Certs in to RACF

Importing x.509 Certs in to RACF

14 matches

Site Navigation

Mail list logo

Footer information