Re: SMPE ORDERSRVER Cert Issues
On 4/5/2019 10:26 AM, Kurt Quackenbush wrote: On 4/5/2019 9:18 AM, daverankin...@gmail.com wrote: On Friday, April 5, 2019 at 1:56:19 PM UTC+1, Kurt Quackenbush wrote: On 4/5/2019 6:50 AM, daverankin...@gmail.com wrote: I have started to get errors when trying to use the Service download SMP/E service on all my LPARs. I have checked all my Certificates and the CA Global and user certs and all trusted and in date. These worked only a few months ago. I am getting this error. GIM69207S ** RECEIVE PROCESSING HAS FAILED BECAUSE THE CONNECTION WITH THE SERVER FAILED. javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Glob GIM20501I RECEIVE PROCESSING IS COMPLETE. THE HIGHEST RETURN CODE WAS 12. The DigiCert Global CA cert seems to be the issue but is valid until 2020. Are you sure the DigiCert Global Root CA is connected to the keyring you specified in for the RECEIVE ORDER command? Try this to see which certs are in the keyring: RACDCERT ID(ring-owner) LISTRING(keyringname) Kurt Quackenbush -- IBM, SMP/E Development Chuck Norris never uses CHECK when he applies PTFs. Yep. >SMPEORD< Certificate Label Name Cert Owner USAGE DEFAULT --- GeoTrust Global CA CERTAUTH CERTAUTH NO SMPE Client Certificate ID(DJR) CERTAUTH NO U, where? I don't see "DigiCert Global Root CA" in that keyring. Kurt Quackenbush -- IBM, SMP/E Development Chuck Norris never uses CHECK when he applies PTFs. I should add, you have the old CA cert in your keyring. IBM stated last year the IBM servers would start using the DigiCert Global Root CA instead of the GeoTrust Global CA: http://www.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/FLASH10884 It appears you haven't loaded the DigiCert Global Root CA yet. I think about a month ago or so the IBM RECEIVE ORDER server made this change. Kurt Quackenbush -- IBM, SMP/E Development Chuck Norris never uses CHECK when he applies PTFs. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SMPE ORDERSRVER Cert Issues
On 4/5/2019 9:18 AM, daverankin...@gmail.com wrote:
On Friday, April 5, 2019 at 1:56:19 PM UTC+1, Kurt Quackenbush wrote:
On 4/5/2019 6:50 AM, daverankin...@gmail.com wrote:
I have started to get errors when trying to use the Service download SMP/E
service on all my LPARs. I have checked all my Certificates and the CA Global
and user certs and all trusted and in date. These worked only a few months ago.
I am getting this error.
GIM69207S ** RECEIVE PROCESSING HAS FAILED BECAUSE THE CONNECTION WITH THE
SERVER FAILED. javax.net.ssl.SSLHandshakeException:
com.ibm.jsse2.util.h: PKIX path building failed:
java.security.cert.CertPathBuilderException:
PKIXCertPathBuilderImpl could not build a valid CertPath.;
internal
cause is: java.security.cert.CertPathValidatorException: The
certificate issued by CN=DigiCert Glob
GIM20501IRECEIVE PROCESSING IS COMPLETE. THE HIGHEST RETURN CODE WAS 12.
The DigiCert Global CA cert seems to be the issue but is valid until 2020.
Are you sure the DigiCert Global Root CA is connected to the keyring you
specified in for the RECEIVE ORDER command?
Try this to see which certs are in the keyring:
RACDCERT ID(ring-owner) LISTRING(keyringname)
Kurt Quackenbush -- IBM, SMP/E Development
Chuck Norris never uses CHECK when he applies PTFs.
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Yep.
>SMPEORD<
Certificate Label Name Cert Owner USAGE DEFAULT
---
GeoTrust Global CA CERTAUTH CERTAUTH NO
SMPE Client CertificateID(DJR)CERTAUTH NO
U, where? I don't see "DigiCert Global Root CA" in that keyring.
Kurt Quackenbush -- IBM, SMP/E Development
Chuck Norris never uses CHECK when he applies PTFs.
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SMPE ORDERSRVER Cert Issues
On 4/5/2019 6:50 AM, daverankin...@gmail.com wrote: I have started to get errors when trying to use the Service download SMP/E service on all my LPARs. I have checked all my Certificates and the CA Global and user certs and all trusted and in date. These worked only a few months ago. I am getting this error. GIM69207S ** RECEIVE PROCESSING HAS FAILED BECAUSE THE CONNECTION WITH THE SERVER FAILED. javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Glob GIM20501IRECEIVE PROCESSING IS COMPLETE. THE HIGHEST RETURN CODE WAS 12. The DigiCert Global CA cert seems to be the issue but is valid until 2020. Are you sure the DigiCert Global Root CA is connected to the keyring you specified in for the RECEIVE ORDER command? Try this to see which certs are in the keyring: RACDCERT ID(ring-owner) LISTRING(keyringname) Kurt Quackenbush -- IBM, SMP/E Development Chuck Norris never uses CHECK when he applies PTFs. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
