Re: New CMS based SSLSERV problem... DTCSSL300E
If anyone is interested, we were able to get Host on Demand TN3270 working to the CMS SSL server with some help from HOD Support. Contact off-list for details. Bob -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Alan Ackerman Sent: Friday, March 20, 2009 4:48 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: New CMS based SSLSERV problem... DTCSSL300E On Wed, 18 Mar 2009 10:53:08 -0400, Alan Altmark alan_altm...@us.ibm.com wrote: On Wednesday, 03/18/2009 at 09:49 EDT, Mrohs, Ray ray.mr...@usdoj.gov wrote: This is slightly off-topic but if anyone has the 5.4 SSLSERV running with the Rumba or WRQ Reflection 3270 emulator, please contact me offline. Thanks. Neither Rumba nor Reflection work correctly. We are working with Attachmate to fix Reflection. Rumba has not responded to our attempts to contact them. IBM Host on Demand doesn't work, either, at the moment. The common problem we are seeing is that the clients are bringing down the session when the server requests a client certificate they don't posesss. The RFC specifies that the client should send an empty certificate list and that it is up to the server, not the client, to decide whether the lack of a client certificate is grounds for a divorce. Work with your client vendor. If they want someone in IBM to talk to, send them to me. Alan Altmark z/VM Development IBM Endicott === == We have a problem with QWS3270. In 5.2.0/5.3.0 everything works fine with static SSL. In 5.4.0, QWS3270 prompts me for a certificate password. I provide one and everything works, but it sure slows me down. If I hit cancel instead I get disconnected with an unable to connect error. There is no way to turn off this behavior in QWS3270 -- is there any way to turn it off in the server? It doesn't make sense to me to that you say Work with your client vendor when the problem happens only in one release of z/VM and not in z/OS. Do you have any indication that there is a similar problem in z/OS? if so, which version and/or APAR? We might actually get something fixed if there is a z/OS problem. Attachmate Extra! works just fine, and so does IBM Pcomm. Alan Ackerman Alan (dot) Ackerman (at) Bank of America (dot) com This electronic transmission and any documents accompanying this electronic transmission contain confidential information belonging to the sender. This information may be legally privileged. The information is intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on or regarding the contents of this electronically transmitted information is strictly prohibited.
Re: New CMS based SSLSERV problem... DTCSSL300E
On Friday, 03/20/2009 at 05:48 EDT, Alan Ackerman alan.acker...@earthlink.net wrote: We have a problem with QWS3270. In 5.2.0/5.3.0 everything works fine with static SSL. In 5.4.0, QWS3270 prompts me for a certificate password. I provide one and everything works, but it sure slows me down. If I hit cancel instead I get disconnected with an unable to connect error. There is no way to turn off this behavior in QWS3270 -- is there any way to turn it off in the server? We are putting our heads together with our z/OS brethren to work out exactly what is going on. The more we study the problem, the more confused the team becomes. I think we're seeing different error behavor on static and dynamic sessions, making the problem more elusive. (It's complicated by folks trying to use dynamic SSL with a static-only client.) With any luck the problem will be in VM and we can fix all the client problems at once. I would truly hate to have an endemic problem. Alan Altmark z/VM Development IBM Endicott
Re: New CMS based SSLSERV problem... DTCSSL300E
Hi Dennis, What you want to do (augment an existing tag value) can't be done using j ust DTCPARMS-defined tags and values, because (for a given :type.server and :type.class pairing) any tag present in the 'server' entry overrides any same-named tag that exists in the corresponding 'class' entry -- the valu es for the two tags are not combined. When I first saw your question, I had also intended to suggest use of the TCPRUNXT exit, but with it, you can't really do exactly what you've descr ibed... You can supply additional (or, replacement) tag/value overrides via the e xit (with some limitations, based on the exit call type -- SETUP or BEGIN), b ut there is no information provided with the current interface that allows inspection of the set of tags and values 'known' by TCPRUN at the point o f either call type. So, you can't modify or augment a tag value based on i ts current value. This is a design point that limits some usefulness of the exit, at least with respect to what you want to do. If you see the need for this capability, a formal request would be the avenue to pursue it. Though, having now given this some thought, there is likely a way to use the TCPRUNXT server exit (with a few updates) that would allow what you're interested in doing. I'll contact you off-line, after I've had a chance to see if my ideas for doing this pan out... Regards, Mark Cibula (z/VM TCP/IP Support)
Re: New CMS based SSLSERV problem... DTCSSL300E
Mark, Thanks, but I think we're getting to a point where the solution is more trouble than the original problem. I'll just set a standard MAXSESSIONS value that's big enough for our largest system. That will be bigger than what our test systems need, but at least we will be testing the same value that we use in production. The alternative would be to maintain the list of exempt cipher suites in the node-specific file. While changing it on every system would be a pain, I don't expect it to change often. Dennis O'Brien 39,516 -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Mark Cibula Sent: Friday, March 20, 2009 06:53 To: IBMVM@LISTSERV.UARK.EDU Subject: Re: [IBMVM] New CMS based SSLSERV problem... DTCSSL300E Hi Dennis, What you want to do (augment an existing tag value) can't be done using j ust DTCPARMS-defined tags and values, because (for a given :type.server and :type.class pairing) any tag present in the 'server' entry overrides any same-named tag that exists in the corresponding 'class' entry -- the valu es for the two tags are not combined. When I first saw your question, I had also intended to suggest use of the TCPRUNXT exit, but with it, you can't really do exactly what you've descr ibed... You can supply additional (or, replacement) tag/value overrides via the e xit (with some limitations, based on the exit call type -- SETUP or BEGIN), b ut there is no information provided with the current interface that allows inspection of the set of tags and values 'known' by TCPRUN at the point o f either call type. So, you can't modify or augment a tag value based on i ts current value. This is a design point that limits some usefulness of the exit, at least with respect to what you want to do. If you see the need for this capability, a formal request would be the avenue to pursue it. Though, having now given this some thought, there is likely a way to use the TCPRUNXT server exit (with a few updates) that would allow what you're interested in doing. I'll contact you off-line, after I've had a chance to see if my ideas for doing this pan out... Regards, Mark Cibula (z/VM TCP/IP Support)
Re: New CMS based SSLSERV problem... DTCSSL300E
On Wed, 18 Mar 2009 10:53:08 -0400, Alan Altmark alan_altm...@us.ibm.com wrote: On Wednesday, 03/18/2009 at 09:49 EDT, Mrohs, Ray ray.mr...@usdoj.gov wrote: This is slightly off-topic but if anyone has the 5.4 SSLSERV running with the Rumba or WRQ Reflection 3270 emulator, please contact me offline. Thanks. Neither Rumba nor Reflection work correctly. We are working with Attachmate to fix Reflection. Rumba has not responded to our attempts t o contact them. IBM Host on Demand doesn't work, either, at the moment. The common problem we are seeing is that the clients are bringing down t he session when the server requests a client certificate they don't posesss . The RFC specifies that the client should send an empty certificate lis t and that it is up to the server, not the client, to decide whether the lack of a client certificate is grounds for a divorce. Work with your client vendor. If they want someone in IBM to talk to, send them to me. Alan Altmark z/VM Development IBM Endicott = We have a problem with QWS3270. In 5.2.0/5.3.0 everything works fine with static SSL. In 5.4.0, QWS3270 prompts me for a certificate password. I provide one and everything works, but it sure slows me down. If I hit cancel instead I get disconnected with an unable to connect error. There is no way to turn off this behavior in QWS3270 -- is there any way to turn it off in the server? It doesn't make sense to me to that you say Work with your client vendor when the problem happens only in one release of z/VM and not in z/OS. Do you have any indication that there is a similar problem in z/OS? if so , which version and/or APAR? We might actually get something fixed if there is a z/OS problem. Attachmate Extra! works just fine, and so does IBM Pcomm. Alan Ackerman Alan (dot) Ackerman (at) Bank of America (dot) com
Re: New CMS based SSLSERV problem... DTCSSL300E
Thanks Alan. Unfortunately our site is standardized on the Rumba client, and the centrally managed upgrades happen once a blue moon. It looks like it might be a while before we can utilize the new SSLSERV, even under the best circumstances. Is there a list of clients that have been tested and work? Ray Mrohs -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Alan Altmark Sent: Wednesday, March 18, 2009 10:53 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: New CMS based SSLSERV problem... DTCSSL300E On Wednesday, 03/18/2009 at 09:49 EDT, Mrohs, Ray ray.mr...@usdoj.gov wrote: This is slightly off-topic but if anyone has the 5.4 SSLSERV running with the Rumba or WRQ Reflection 3270 emulator, please contact me offline. Thanks. Neither Rumba nor Reflection work correctly. We are working with Attachmate to fix Reflection. Rumba has not responded to our attempts to contact them. IBM Host on Demand doesn't work, either, at the moment. The common problem we are seeing is that the clients are bringing down the session when the server requests a client certificate they don't posesss. The RFC specifies that the client should send an empty certificate list and that it is up to the server, not the client, to decide whether the lack of a client certificate is grounds for a divorce. Work with your client vendor. If they want someone in IBM to talk to, send them to me. Alan Altmark z/VM Development IBM Endicott
Re: New CMS based SSLSERV problem... DTCSSL300E
Mrohs, Ray writes: Thanks Alan. Unfortunately our site is standardized on the Rumba client, and the centrally managed upgrades happen once a blue moon. It looks like it might be a while before we can utilize the new SSLSERV, even under the best circumstances. Is there a list of clients that have been tested and work? x3270 works fine for me, both the old way (going straight to SSL with x3270 L:hostname:992) and the new way (using x3270 hostname to the default port 23 and letting it use TLS to auto-negotiate SSL). --Malcolm -- Malcolm Beattie System z SWG/STG, Europe IBM UK
Re: New CMS based SSLSERV problem... DTCSSL300E
On Thursday, 03/19/2009 at 08:39 EDT, Mrohs, Ray ray.mr...@usdoj.gov wrote: Thanks Alan. Unfortunately our site is standardized on the Rumba client, and the centrally managed upgrades happen once a blue moon. It looks like it might be a while before we can utilize the new SSLSERV, even under the best circumstances. Is there a list of clients that have been tested and work? - IBM Personal Communications 5.9 works - Seagull's BlueZone works - x3270 works - wc3270 (Windows version of x3270) works - Zephyr Passport works - IBM Host on Demand fails - Micro Focus Rumba fails - Attachmate Reflection fails In all cases our tests were with the levels current over the past year or so. We're building a more detailed list that will include the specific levels for both tn3270 and ftp. Note that some of the above do not support negotiated SSL. Those that fail will also fail with z/OS since it's the same SSL/TLS implementation. Alan Altmark z/VM Development IBM Endicott
Re: New CMS based SSLSERV problem... DTCSSL300E
On Mar 19, 2009, at 8:57 AM, Alan Altmark wrote: On Thursday, 03/19/2009 at 08:39 EDT, Mrohs, Ray ray.mr...@usdoj.gov wrote: Thanks Alan. Unfortunately our site is standardized on the Rumba client, and the centrally managed upgrades happen once a blue moon. It looks like it might be a while before we can utilize the new SSLSERV, even under the best circumstances. Is there a list of clients that have been tested and work? - IBM Personal Communications 5.9 works - Seagull's BlueZone works - x3270 works - wc3270 (Windows version of x3270) works - Zephyr Passport works - IBM Host on Demand fails - Micro Focus Rumba fails - Attachmate Reflection fails Has anyone tried tn3270X ? I'll be giving it a shot once I have the 5.4 SSL support working, but other stuff is likely to conspire to slow that down. Adam
Re: New CMS based SSLSERV problem... DTCSSL300E
I haven't personally done it, but others in our organization are using Attachmate Extreme Rel 9.0 Marcy This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Alan Altmark Sent: Thursday, March 19, 2009 6:58 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: [IBMVM] New CMS based SSLSERV problem... DTCSSL300E On Thursday, 03/19/2009 at 08:39 EDT, Mrohs, Ray ray.mr...@usdoj.gov wrote: Thanks Alan. Unfortunately our site is standardized on the Rumba client, and the centrally managed upgrades happen once a blue moon. It looks like it might be a while before we can utilize the new SSLSERV, even under the best circumstances. Is there a list of clients that have been tested and work? - IBM Personal Communications 5.9 works - Seagull's BlueZone works - x3270 works - wc3270 (Windows version of x3270) works - Zephyr Passport works - IBM Host on Demand fails - Micro Focus Rumba fails - Attachmate Reflection fails In all cases our tests were with the levels current over the past year or so. We're building a more detailed list that will include the specific levels for both tn3270 and ftp. Note that some of the above do not support negotiated SSL. Those that fail will also fail with z/OS since it's the same SSL/TLS implementation. Alan Altmark z/VM Development IBM Endicott
Re: New CMS based SSLSERV problem... DTCSSL300E
We have successfully tested Hummingbird HostExplorer with the old z/VM SSL, the new z/VM SSL, and z/OS SSL. Mark Bodenstein (m...@cornell.edu) Cornell University At 09:57 AM 3/19/2009, you wrote: On Thursday, 03/19/2009 at 08:39 EDT, Mrohs, Ray ray.mr...@usdoj.gov wrote: Thanks Alan. Unfortunately our site is standardized on the Rumba client, and the centrally managed upgrades happen once a blue moon. It looks like it might be a while before we can utilize the new SSLSERV, even under the best circumstances. Is there a list of clients that have been tested and work? - IBM Personal Communications 5.9 works - Seagull's BlueZone works - x3270 works - wc3270 (Windows version of x3270) works - Zephyr Passport works - IBM Host on Demand fails - Micro Focus Rumba fails - Attachmate Reflection fails In all cases our tests were with the levels current over the past year or so. We're building a more detailed list that will include the specific levels for both tn3270 and ftp. Note that some of the above do not support negotiated SSL. Those that fail will also fail with z/OS since it's the same SSL/TLS implementation. Alan Altmark z/VM Development IBM Endicott
Re: New CMS based SSLSERV problem... DTCSSL300E
I have tested the following with Telnet TLS and z/VM on 5.4. c3270 - Curses based x3270. Basically shell 3270. tn3270 - Version 3.2.2 with the additional SSL / SSH license. Seems to work good. I am a little concerned about the SSLSERVE overhead but no way to really tell at this point as z/vm 5.4 is still a second level guest on a Test LPAR. Not much driving SSL at this point. Hopefully 4 people telneted in and maybe periodic times for web PERFSVM (Also using SSL [Static]) won't do too much damage. We will see. :) Tyler This e-mail and any attachment(s) are confidential and may be privileged. If you are not the intended recipient please notify me immediately by return e-mail, delete this e-mail and do not copy, use or disclose it.
Re: New CMS based SSLSERV problem... DTCSSL300E
Mark C, Thanks. I implemented your suggestion, and it works fine. Am I correct that whatever file I end up putting the :parms. tag in, I need to put all the parameters of :parms. there? We have about 20 systems to support. Ideally, I'd like to specify the EXEMPT parameter in SYSTEM DTCPARMS, which would be common to all nodes, and specify MAXSESSIONS in a node-specific file. Is there a way to do this? Dennis O'Brien 39,516 -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Mark Cibula Sent: Monday, March 16, 2009 15:11 To: IBMVM@LISTSERV.UARK.EDU Subject: Re: [IBMVM] New CMS based SSLSERV problem... DTCSSL300E Dennis (and Mark W) -- Apologies for the somewhat duplicate posting - ran into a browser timeout whilst putting my posting together.. I would like to suggest how one ca n implement DTCPARMS server customizations (building on Dennis' post) to better isolate them, and to lessen the impact of changes to the IBM DTCPA RMS file itself. * Use this 'override' entry in the SYSTEM DTCPARMS file: * (Because the 'parms' value is overridden, the :parm. tag/value from IBM * DTCPARMS needs to first be duplicated and then modified within this * (SYSTEM DTCPARMS) file so as not to lose the Keyfile information. :nick.SSLSERV:type.server :class.ssl :Admin_ID_list.TCPMAINT GSKADMIN SYSPROG1 SYSPROG2 :parms.KEYFile /etc/gskadm/Database.kdb MAXSESSIONS 30 EXEMPT LOW With the above ':type.server' entry in place, a ':nick.ssl :type.class' entry should no longer be necessary within SYSTEM DTCPARMS. The 'class' entry in the IBM DTCPARMS will provide the remainder of the needed tags/v alues. Granted, with the significant change to the ssl 'class' with 540, having done something similar to the above for a 530 SSL 'server' entry, one mig ht still have encountered some problems, since the old/new tags had little i n common... The type of change I suggest above is meant simply to illustrate how to k eep customizations separate from the (IBM) supplied defaults. (And, we do encourage this same type of thing on our own test systems so fewer server s go 'bump' as things are changed). -- Regards, Mark Cibula
Re: New CMS based SSLSERV problem... DTCSSL300E
On Thursday, 03/19/2009 at 04:23 EDT, O'Brien, Dennis L dennis.l.o'br...@bankofamerica.com wrote: Mark C, Thanks. I implemented your suggestion, and it works fine. Am I correct that whatever file I end up putting the :parms. tag in, I need to put all the parameters of :parms. there? We have about 20 systems to support. Ideally, I'd like to specify the EXEMPT parameter in SYSTEM DTCPARMS, which would be common to all nodes, and specify MAXSESSIONS in a node-specific file. Is there a way to do this? Remember that you can use the server exit facility (:Exit tag or TCPRUNXT EXEC) to generate tags at runtime. See Ch. 5. Look at TCPRUNXT SAMPEXEC on the 591 disk. You could use an exit that returns the correct :parms. whenever it starts a server of class ssl. Alan Altmark z/VM Development IBM Endicott
Re: New CMS based SSLSERV problem... DTCSSL300E
Don't bother with the TCPRUNXT SAMPEXEC on the 591 disk - it's probably compiled REXX anyway!! :-) (sorry Chuckie, I couldn't pass up the opportunity) HITACHI DATA SYSTEMS Raymond E. Noal Senior Technical Engineer Office: (408) 970 - 7978 -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Alan Altmark Sent: Thursday, March 19, 2009 2:25 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: New CMS based SSLSERV problem... DTCSSL300E On Thursday, 03/19/2009 at 04:23 EDT, O'Brien, Dennis L dennis.l.o'br...@bankofamerica.com wrote: Mark C, Thanks. I implemented your suggestion, and it works fine. Am I correct that whatever file I end up putting the :parms. tag in, I need to put all the parameters of :parms. there? We have about 20 systems to support. Ideally, I'd like to specify the EXEMPT parameter in SYSTEM DTCPARMS, which would be common to all nodes, and specify MAXSESSIONS in a node-specific file. Is there a way to do this? Remember that you can use the server exit facility (:Exit tag or TCPRUNXT EXEC) to generate tags at runtime. See Ch. 5. Look at TCPRUNXT SAMPEXEC on the 591 disk. You could use an exit that returns the correct :parms. whenever it starts a server of class ssl. Alan Altmark z/VM Development IBM Endicott
Re: New CMS based SSLSERV problem... DTCSSL300E
This is slightly off-topic but if anyone has the 5.4 SSLSERV running with the Rumba or WRQ Reflection 3270 emulator, please contact me offline. Thanks. Ray Mrohs U.S. Department of Justice 202-307-6896 -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Wiggins, Mark Sent: Tuesday, March 17, 2009 9:04 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: New CMS based SSLSERV problem... DTCSSL300E Thank you to both Dennis and Mark. I had the mount commands in my DTCPARMS, they just weren't syntactically correct. Everything appears to be fine now... Mark Wiggins
Re: New CMS based SSLSERV problem... DTCSSL300E
On Wednesday, 03/18/2009 at 09:49 EDT, Mrohs, Ray ray.mr...@usdoj.gov wrote: This is slightly off-topic but if anyone has the 5.4 SSLSERV running with the Rumba or WRQ Reflection 3270 emulator, please contact me offline. Thanks. Neither Rumba nor Reflection work correctly. We are working with Attachmate to fix Reflection. Rumba has not responded to our attempts to contact them. IBM Host on Demand doesn't work, either, at the moment. The common problem we are seeing is that the clients are bringing down the session when the server requests a client certificate they don't posesss. The RFC specifies that the client should send an empty certificate list and that it is up to the server, not the client, to decide whether the lack of a client certificate is grounds for a divorce. Work with your client vendor. If they want someone in IBM to talk to, send them to me. Alan Altmark z/VM Development IBM Endicott
Re: New CMS based SSLSERV problem... DTCSSL300E
Thank you to both Dennis and Mark. I had the mount commands in my DTCPARMS, they just weren't syntactically correct. Everything appears to be fine now... Mark Wiggins -Original Message- From: Mark Cibula [mailto:cibul...@us.ibm.com] Sent: Monday, March 16, 2009 6:11 PM Subject: Re: New CMS based SSLSERV problem... DTCSSL300E Dennis (and Mark W) -- Apologies for the somewhat duplicate posting - ran into a browser timeout whilst putting my posting together.. I would like to suggest how one can implement DTCPARMS server customizations (building on Dennis' post) to better isolate them, and to lessen the impact of changes to the IBM DTCPARMS file itself. * Use this 'override' entry in the SYSTEM DTCPARMS file: * (Because the 'parms' value is overridden, the :parm. tag/value from IBM * DTCPARMS needs to first be duplicated and then modified within this * (SYSTEM DTCPARMS) file so as not to lose the Keyfile information. :nick.SSLSERV:type.server :class.ssl :Admin_ID_list.TCPMAINT GSKADMIN SYSPROG1 SYSPROG2 :parms.KEYFile /etc/gskadm/Database.kdb MAXSESSIONS 30 EXEMPT LOW With the above ':type.server' entry in place, a ':nick.ssl :type.class' entry should no longer be necessary within SYSTEM DTCPARMS. The 'class' entry in the IBM DTCPARMS will provide the remainder of the needed tags/values. Granted, with the significant change to the ssl 'class' with 540, having done something similar to the above for a 530 SSL 'server' entry, one might still have encountered some problems, since the old/new tags had little in common... The type of change I suggest above is meant simply to illustrate how to keep customizations separate from the (IBM) supplied defaults. (And, we do encourage this same type of thing on our own test systems so fewer servers go 'bump' as things are changed). -- Regards, Mark Cibula
New CMS based SSLSERV problem... DTCSSL300E
I'll start by saying that I have already found, read and preformed all tasks on http://www.vm.ibm.com/related/tcpip/tcsslini.html to no avail. I'm trying to setup the new CMS based SSLSERV for z/VM 540 RSU 0802, but I keep getting the exact error mentioned in the link above. DTCRUN1011I Server started at 16:02:41 on 16 Mar 2009 (Monday) DTCRUN1011I Running server command: VMSSL DTCRUN1011I Parameters in use: DTCRUN1011I MAXSESSIONS 20 KEYFILE /etc/gskadm/Database.kdb DTCSSL2423I Using server module: SSLSERV MODULE E2 - 2/26/09 16:28:52 DTCSSL002I SSLSERV main() - PROGMAP: NameEntry Origin BytesAttributes SSLSERV 0FD632880FD6328800041D73Amode 31 Reloc DTCSSL002I DEBUG settings: Debug: 0 DTCSSL002I main() started... DTCSSL015I Server initialization in progress (z/VM level 540 - PK65850) DTCSSL100I This software incorporates the RSA algorithm DTCSSL132I Server ID: SSLSERV DMSLIO201W The following names are undefined: EDCUCSNM DMSLIO201W The following names are undefined: EDCUCSNM DTCSSL300E gsk_open_database_using_stash_file() failed; rc: 0x3353009 reason: File or keyring not found DTCSSL127E Server shutdown has commenced DTCSSL128E Server shutdown is complete DTCRUN1015I Server ended with RC=1 at 16:02:42 on 16 Mar 2009 (Monday) DTCRUN1019I Server will not be logged off because you are connected If I issue 'openvm list /etc/gskadm (own' on GSKADMIN account I get the following openvm listfile /etc/gskadm (own Directory = '/etc/gskadm' User IDGroup Name Permissions Type Path name component gskadmin securityrw- r-- --- F'Database.kdb' gskadmin securityrw- --- --- F'Database.rdb' gskadmin securityrw- r-- --- F'Database.sth' The SSLSERV directory statement also has POSIXINFO UID 7 GNAME security So, what else can I try??? Mark Wiggins University of Connecticut 860-486-2792
Re: New CMS based SSLSERV problem... DTCSSL300E
Mark, What did you put in SYSTEM DTCPARMS or node DTCPARMS for your SSL server? If you want to change anything for :nick.ssl in IBM DTCPARMS, you have to copy the whole section for that nickname to your local file. For example, I wanted to add a session limit and exempt low-strength encryption algorithms. The first thing I tried was just putting the following in node DTCPARMS: :nick.ssl :type.class :name.SSL daemon :command.VMSSL :diskwarn.YES :parms.MAXSESSIONS 30 EXEMPT LOW This was similar to my z/VM 5.3.0 file. I then got a message about Admin_ID_list not being found, so I added that. When I tried again, I got the same message you got. I guessed that I needed to copy the entire :nick.ssl section from IBM DTCPARMS to my local file, and change the parts I wanted to change. That worked. I currently have: :nick.ssl :type.class :name.SSL daemon :command.VMSSL :runtime.C :diskwarn.YES :Admin_ID_list.TCPMAINT GSKADMIN SYSPROG1 SYSPROG2 :memory.256M :mixedcaseparms.YES :mount. /../VMBFS:VMSYS:ROOT/ / , /../VMBFS:VMSYS:SSLSERV/ /tmp , /../VMBFS:VMSYS:GSKSSLDB/ /etc/gskadm :parms.KEYFile /etc/gskadm/Database.kdb MAXSESSIONS 30 EXEMPT LOW Your error message is because SSLSERV is not seeing a :mount. tag, so it doesn't know where to find /etc/gskadm/Database.kdb. Dennis O'Brien 39,516 From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Wiggins, Mark Sent: Monday, March 16, 2009 13:38 To: IBMVM@LISTSERV.UARK.EDU Subject: [IBMVM] New CMS based SSLSERV problem... DTCSSL300E I'll start by saying that I have already found, read and preformed all tasks on http://www.vm.ibm.com/related/tcpip/tcsslini.html to no avail. I'm trying to setup the new CMS based SSLSERV for z/VM 540 RSU 0802, but I keep getting the exact error mentioned in the link above. DTCRUN1011I Server started at 16:02:41 on 16 Mar 2009 (Monday) DTCRUN1011I Running server command: VMSSL DTCRUN1011I Parameters in use: DTCRUN1011I MAXSESSIONS 20 KEYFILE /etc/gskadm/Database.kdb DTCSSL2423I Using server module: SSLSERV MODULE E2 - 2/26/09 16:28:52 DTCSSL002I SSLSERV main() - PROGMAP: NameEntry Origin BytesAttributes SSLSERV 0FD632880FD6328800041D73Amode 31 Reloc DTCSSL002I DEBUG settings: Debug: 0 DTCSSL002I main() started... DTCSSL015I Server initialization in progress (z/VM level 540 - PK65850) DTCSSL100I This software incorporates the RSA algorithm DTCSSL132I Server ID: SSLSERV DMSLIO201W The following names are undefined: EDCUCSNM DMSLIO201W The following names are undefined: EDCUCSNM DTCSSL300E gsk_open_database_using_stash_file() failed; rc: 0x3353009 reason: File or keyring not found DTCSSL127E Server shutdown has commenced DTCSSL128E Server shutdown is complete DTCRUN1015I Server ended with RC=1 at 16:02:42 on 16 Mar 2009 (Monday) DTCRUN1019I Server will not be logged off because you are connected If I issue 'openvm list /etc/gskadm (own' on GSKADMIN account I get the following openvm listfile /etc/gskadm (own Directory = '/etc/gskadm' User IDGroup Name Permissions Type Path name component gskadmin securityrw- r-- --- F'Database.kdb' gskadmin securityrw- --- --- F'Database.rdb' gskadmin securityrw- r-- --- F'Database.sth' The SSLSERV directory statement also has POSIXINFO UID 7 GNAME security So, what else can I try??? Mark Wiggins University of Connecticut 860-486-2792
Re: New CMS based SSLSERV problem... DTCSSL300E
Hi Mark, I suspect the errors you've encountered stem from somehow referencing a pre-540 SSL 'class' entry -- one that lacks the :runtime.C , :mount. and other tags that define values needed for the 540 SSL server. Please chec k your SYSTEM DTCPARMS file (or any others you've customized) for a stale/rogue pre-540 SSL class entry that looks like this one: :nick.ssl :type.class :name.SSL daemon :command.VMSSL :diskwarn.YES Also, ensure that a pre-540 level IBM DTCPARMS file is not present in the CMS search order of the (540) SSL server, and that thePK65850- level IBM DTCPARMS file *is* available. The class definition from this file is: :nick.ssl :type.class :name.SSL daemon :command.VMSSL :runtime.C :diskwarn.YES :Admin_ID_list.TCPMAINT GSKADMIN :memory.256M :mixedcaseparms.YES :mount. /../VMBFS:VMSYS:ROOT/ / , /../VMBFS:VMSYS:SSLSERV/ /tmp , /../VMBFS:VMSYS:GSKSSLDB/ /etc/gskadm :parms.KEYFile /etc/gskadm/Database.kdb (Note: The 540 GA-level of this file lacks the 'SSLSERV' file space ID fo r the '/tmp' mount; commentary in the updated file explains why this needs to be included.) One other customer ran across the errors you cited for this same reason, but I've just not had a chance to update the page you had checked to add this 'gotcha'... Regards, Mark Cibula (z/VM TCP/IP Support)
Re: New CMS based SSLSERV problem... DTCSSL300E
Dennis (and Mark W) -- Apologies for the somewhat duplicate posting - ran into a browser timeout whilst putting my posting together.. I would like to suggest how one ca n implement DTCPARMS server customizations (building on Dennis' post) to better isolate them, and to lessen the impact of changes to the IBM DTCPA RMS file itself. * Use this 'override' entry in the SYSTEM DTCPARMS file: * (Because the 'parms' value is overridden, the :parm. tag/value from IBM * DTCPARMS needs to first be duplicated and then modified within this * (SYSTEM DTCPARMS) file so as not to lose the Keyfile information. :nick.SSLSERV:type.server :class.ssl :Admin_ID_list.TCPMAINT GSKADMIN SYSPROG1 SYSPROG2 :parms.KEYFile /etc/gskadm/Database.kdb MAXSESSIONS 30 EXEMPT LOW With the above ':type.server' entry in place, a ':nick.ssl :type.class' entry should no longer be necessary within SYSTEM DTCPARMS. The 'class' entry in the IBM DTCPARMS will provide the remainder of the needed tags/v alues. Granted, with the significant change to the ssl 'class' with 540, having done something similar to the above for a 530 SSL 'server' entry, one mig ht still have encountered some problems, since the old/new tags had little i n common... The type of change I suggest above is meant simply to illustrate how to k eep customizations separate from the (IBM) supplied defaults. (And, we do encourage this same type of thing on our own test systems so fewer server s go 'bump' as things are changed). -- Regards, Mark Cibula
