[prev in list] [next in list] [prev in thread] [next in thread]
List: racf-l
Subject: Re: Certifiicate set up for Client authentication (was FTPS-issue)
From: "De Bruyne Dirk (IS4F)" <Dirk.DeBruyne () IS4F ! COM>
Date: 2017-09-27 10:27:01
Message-ID: ca246db3f99f45eabd5d48ec92fe5288 () XW13LXAL0001 ! DS13 ! ds4f ! net
[Download RAW message or body]
Thanks Wai, much appreciated your clear comment.
Regards,
Dirk
-----Original Message-----
From: RACF Discussion List [mailto:RACF-L@LISTSERV.UGA.EDU] On Behalf Of Wai Choi
Sent: dinsdag 26 september 2017 17:33
To: RACF-L@LISTSERV.UGA.EDU
Subject: Certifiicate set up for Client authentication (was FTPS-issue)
Dirk,
So your keyring set up is OK for TLS/SSL, only with some unnecessary certs
as you already realized.
There can be two steps involved in client authentication using a
certificate:
1) TLS/SSL handshake (keyring is involved)
2) mapping of the client certificate to an ID (keyring is not involved)
Some applications only needs Step 1, some require both steps. When both
steps are needed, step 2 tries to use a Userid originated from the
certificate that was used in Step 1. Step 2 will fail if no mapping can be
found.
If the mapping involves using RACF, eg. the one who presents the cert for
authentication needs to have a RACF userid, RACF will map a cert to an ID
in the order of the following ways:
a. the owner ID of the client cert that exists in RACF (note: the ID has
to be an ordinary RACF ID, not SITE, not CERTAUTH)
b. the owner ID of a certificate map that matches the subject and/or the
issuer distinguished name in the client cert, if there is no client cert
found in RACF
c. the ID indicates in the client cert's hostidmapping extension, if no
certificate map found in RACF
If you don't want to use method a, you can use b or c. You may find
information on b about RACDCERT MAP from the RACF Security Administrator's
Guide Chapter 19. If you want to use method c, the client certificate
needs to be issued by z/OS PKI Services with the hostidmapping extension.
There are publication, hot topics, redbooks, youtube on z/OS PKI Services.
Regards,
Wai
Wai Choi - RACF/PKI Design and Development
Tie-line:295-7623
External: (845)435-7623
Internet: wchoi@us.ibm.com
From: "De Bruyne Dirk (IS4F)" <Dirk.DeBruyne@IS4F.COM>
To: RACF-L@LISTSERV.UGA.EDU
Date: 09/26/2017 03:27 AM
Subject: Re: FW: FTPS-issue
Sent by: RACF Discussion List <RACF-L@LISTSERV.UGA.EDU>
Hi Wai,
Thanks for reply.
I did not mention that same CA-certs have different 'Certificate Label' on
the two lpars (2 different RACFs). Reason is historical.
So, I can confirm when looking at the 'Certificate name', that client ring
and server ring contain what is needed (maybe even too much).
Server Cert (Chain) :
Root : PRD Root CA IS4F (040000000001464238D3E9)
Signing cert : Belfius Bank IS CA (0400000000014E91C1CC32)
Server Cert : FTP SEC SERVER CERT IWOC SBXT
(7F000002A67A562A35C6D398480000000002A6)
Client Cert (Chain) :
Root: IS4F Root CA (040000000001464238D3E9)
Signing cert : IS4F Infrastructure CA Services
(0400000000014E91C1D411)
Client cert : PNI0KSY CLIENT FTPS (3600000819E31BDCB91FED4C72
000000000819)
ServerRing : FTPD/FTPSERVERRING (owner/keyringname)
PRD Root CA IS4F (040000000001464238D3E9)
Belfius Bank IS CA (0400000000014E91C1CC32)
FTP SEC SERVER CERT IWOC SBXT (7F000002A67A562A35C6D398480000000002A6)
INFRASTRUCTURE CA IS4F SHAW2 (0400000000014E91C1D411) --> I think this one
can be removed
ClientRing : PNI0KSY/FTP.SECURE.CLIENT.RING (owner/keyringname)
IS4F Root CA (040000000001464238D3E9)
IS4F Infrastructure CA Services (0400000000014E91C1D411)
PNI0KSY CLIENT FTPS (3600000819E31BDCB91FED4C72 000000000819)
Belfius Bank Infrastructure CA (0400000000014E91C1CC32) --> I think this
one can be removed
I also got suggestion from Donald J. to work with Host ID Mappings, but I
do not have experience with that.
Regards,
Dirk
-----Original Message-----
From: RACF Discussion List [mailto:RACF-L@LISTSERV.UGA.EDU] On Behalf Of
Wai Choi
Sent: maandag 25 september 2017 16:17
To: RACF-L@LISTSERV.UGA.EDU
Subject: Re: FW: FTPS-issue
Seems your set up is not correct. The server ring and the client ring do
not contain the correct certs.
Basically the client ring should contain client cert's whole chain + the
root of the server cert ; the server ring should contain server cert's
whole chain + root of the client cert.
According to your output,
Client ring:
a. IS4F Infrastructure CA Services
b. IS4F Root CA
c. Belfius Bank Infrastructure CA
d. PNI0KSY CLIENT FTPS <== client cert
What is the signing chain for d? Is it b->a->d or c->a->d? Whatever the
signing root is, it needs to be in the server ring. I don't see it (b or
c) in the server ring.
Server ring:
p. PRD Root CA IS4F
q. INFRASTRUCTURE CA IS4F SHAW2
r. Belfius Bank IS CA
s. FTP SEC SERVER CERT IWOC SBXT <==server cert t. IS4F Non-PSF Mgt
Infrastructure
What is the signing chain for s? Is it p->q->s or r->q->s? Whatever the
signing root is, it needs to be in the client ring. I don't see it (p or
r) in the client ring.
Regards,
Wai
Wai Choi - RACF/PKI Design and Development
From: "De Bruyne Dirk (IS4F)" <Dirk.DeBruyne@IS4F.COM>
To: RACF-L@LISTSERV.UGA.EDU
Date: 09/25/2017 05:31 AM
Subject: FW: FTPS-issue
Sent by: RACF Discussion List <RACF-L@LISTSERV.UGA.EDU>
Hi,
We are testing FTPS (FTP Secure by AT/TLS) between 2 z/OS lpars and are
having following issue (532 Username does not match name in client
certificate).
SSL Server CPUT with server (SITE) certificate.
Keyring FTPSERVERRING with server certificate and signing CA cert
(Trusted) (=CA1).
In this keyring, the signing CA of the client certificates is included
(CA2).
SSL Client EB44 with client certificates.
(Client) keyrings have the client certificate, its signing CA-cert (=CA2)
and the root-CA of server (CA1).
Client-cert looks like :
racdcert id(PNI0KSY) list(label('PNI0KSY CLIENT FTPS'))
Digital certificate information for user PNI0KSY:
Label: PNI0KSY CLIENT FTPS
Certificate ID: 2QfX1cnw0uLo19XJ8NLi6EDD08nF1eNAxuPX4kBA
Status: TRUST
Start Date: 2017/09/21 09:05:00
End Date: 2019/09/21 09:05:00
Serial Number:
>3600000819E31BDCB91FED4C72000000000819<
Issuer's Name:
>CN=IS4F Infrastructure CA Services.DS13.ds4f.net<
Subject's Name:
>CN=PNI0KSY.OU=IS4F.C=BE<
Signing Algorithm: sha256RSA
Key Usage: HANDSHAKE
Key Type: RSA
Key Size: 2048
Private Key: YES
Ring Associations:
Ring Owner: PNI0KSY
Ring:
>FTP.SECURE.CLIENT.RING<<
https://urldefense.proofpoint.com/v2/url?u=ftp-3A__FTP.SECURE.CLIENT.RING-253C&d=DwMGa \
Q&c=jf_iaSHvJObTbx-siA1ZOg&r=r7eqrQPTrezFZjW1SX1mXg&m=h9AAkl7Ym_i7kGx4nYQj4F3CE4o448ip8Qj3fccrYZU&s=tjEcrZLqQRkGHdjM__R6qwZWkdrhQgtKQtMeG1ix0-I&e=
>
Keyring Client :
racdcert id(PNI0KSY) listring(FTP.SECURE.CLIENT.RING<
https://urldefense.proofpoint.com/v2/url?u=ftp-3A__FTP.SECURE.CLIENT.RING&d=DwMGaQ&c=j \
f_iaSHvJObTbx-siA1ZOg&r=r7eqrQPTrezFZjW1SX1mXg&m=h9AAkl7Ym_i7kGx4nYQj4F3CE4o448ip8Qj3fccrYZU&s=6Hsqkr8vgphS4x0qa5SLSsuoMtkewpJsHQw3b5hi8iw&e=
> )
Digital ring information for user PNI0KSY:
Ring:
>FTP.SECURE.CLIENT.RING<<
https://urldefense.proofpoint.com/v2/url?u=ftp-3A__FTP.SECURE.CLIENT.RING-253C&d=DwMGa \
Q&c=jf_iaSHvJObTbx-siA1ZOg&r=r7eqrQPTrezFZjW1SX1mXg&m=h9AAkl7Ym_i7kGx4nYQj4F3CE4o448ip8Qj3fccrYZU&s=tjEcrZLqQRkGHdjM__R6qwZWkdrhQgtKQtMeG1ix0-I&e=
>
Certificate Label Name Cert Owner USAGE DEFAULT
-------------------------------- ------------ -------- -------
IS4F Infrastructure CA Services CERTAUTH CERTAUTH NO
IS4F Root CA CERTAUTH CERTAUTH NO
Belfius Bank Infrastructure CA CERTAUTH CERTAUTH NO
PNI0KSY CLIENT FTPS ID(PNI0KSY) PERSONAL YES
Server-cert :
racdcert SITE list(label('FTP SEC SERVER CERT IWOC SBXT'))
Digital certificate information for SITE:
Label: FTP SEC SERVER CERT IWOC SBXT
Certificate ID: 2QiJmZmiiaOFg8bj10DixcNA4sXZ5cXZQMPF2eNAyebWw0Diwufj
Status: TRUST
Start Date: 2017/04/18 08:55:24
End Date: 2019/04/18 08:55:24
Serial Number:
>7F000002A67A562A35C6D398480000000002A6<
Issuer's Name:
>CN=Belfius Bank Infrastructure CA Services.belwired.net<
Subject's Name:
>CN=CPUT.DBB.DEXWIRED.NET.OU=IS4F ITSO POK.O=IS4F.C=BE<
Signing Algorithm: sha256RSA
Key Usage: HANDSHAKE
Key Type: RSA
Key Size: 2048
Private Key: YES
Ring Associations:
Ring Owner: FTPD
Ring:
>FTPSERVERRING<
Keyring Server :
racdcert id(FTPD) listring(FTPSERVERRING)
Digital ring information for user FTPD:
Ring:
>FTPSERVERRING<
Certificate Label Name Cert Owner USAGE DEFAULT
-------------------------------- ------------ -------- -------
PRD Root CA IS4F CERTAUTH CERTAUTH NO
INFRASTRUCTURE CA IS4F SHAW2 CERTAUTH CERTAUTH NO
Belfius Bank IS CA CERTAUTH CERTAUTH NO
FTP SEC SERVER CERT IWOC SBXT SITE PERSONAL YES
IS4F Non-PSF Mgt Infrastructure CERTAUTH CERTAUTH NO
FTPS-job (with error) :
EZA1736I FTP CPUT 823 (TIMEOUT 240 EXIT
EZY2640I Using dd:SYSFTPD=Z5.BPRD.STCP.CS.PARMS(FTP51SP<
https://urldefense.proofpoint.com/v2/url?u=ftp-3A__FTP51SP&d=DwMGaQ&c=jf_iaSHvJObTbx-s \
iA1ZOg&r=r7eqrQPTrezFZjW1SX1mXg&m=h9AAkl7Ym_i7kGx4nYQj4F3CE4o448ip8Qj3fccrYZU&s=SKsxpl5SnDeScdKyXKZWi6K0IFwXd7U4I9kMeTOppCc&e=
> ) for local site configur
EZA1450I IBM FTP CS V2R2
EZA1772I FTP: EXIT has been set.
EZA1554I Connecting to: MVST 10.212.255.3 port: 823.
220-FTPCD1 IBM FTP CS V2R2 at MVST, 09:20:13 on 2017-09-22.
220 Connection will close if idle for more than 5 minutes.
EZA1701I >>> AUTH TLS
234 Security environment established - ready for negotiation EZA2895I
Authentication negotiation succeeded EZA1701I >>> PBSZ 0
200 Protection buffer size accepted
EZA1701I >>> PROT P
200 Data connection protection set to private EZA2906I Data connection
protection is private EZA1459I NAME (CPUT:PNI0KSY):
EZA1701I >>> USER PNI0KSY
532 Username does not match name in client certificate EZA1735I Std Return
Code = 26532, Error Code = 00002 EZA1701I >>> QUIT
221 Quit command received. Goodbye.
Now, we ADDed the client-cert to RACF on server-site CPUT.
Now FTPS works fine.
FTPS-job (without error) :
EZA1736I FTP CPUT 823 (TIMEOUT 240 EXIT
EZY2640I Using dd:SYSFTPD=Z5.BPRD.STCP.CS.PARMS(FTP51SP<
https://urldefense.proofpoint.com/v2/url?u=ftp-3A__FTP51SP&d=DwMGaQ&c=jf_iaSHvJObTbx-s \
iA1ZOg&r=r7eqrQPTrezFZjW1SX1mXg&m=h9AAkl7Ym_i7kGx4nYQj4F3CE4o448ip8Qj3fccrYZU&s=SKsxpl5SnDeScdKyXKZWi6K0IFwXd7U4I9kMeTOppCc&e=
> ) for local site configur
EZA1450I IBM FTP CS V2R2
EZA1772I FTP: EXIT has been set.
EZA1554I Connecting to: MVST 10.212.255.3 port: 823.
220-FTPCD1 IBM FTP CS V2R2 at MVST, 09:22:35 on 2017-09-22.
220 Connection will close if idle for more than 5 minutes.
EZA1701I >>> AUTH TLS
234 Security environment established - ready for negotiation EZA2895I
Authentication negotiation succeeded EZA1701I >>> PBSZ 0
200 Protection buffer size accepted
EZA1701I >>> PROT P
200 Data connection protection set to private EZA2906I Data connection
protection is private EZA1459I NAME (CPUT:PNI0KSY):
EZA1701I >>> USER PNI0KSY
230-User PNI0KSY is an authorized user
230 PNI0KSY is logged on. Working directory is "PNI0KSY.".
EZA1460I Command:
EZA1736I BIN
EZA1701I >>> TYPE I
200 Representation type is Image
EZA1460I Command:
EZA1736I LOCSITE BLKS PRI=9200 SEC=1000
EZA1460I Command:
EZA1736I LCD *DEV.NULL
EZA2583I Working Directory for GET is NULL Device EZA2586I for PUT is
"PNI0KSY." name prefix EZA1460I Command:
EZA1736I DIR
EZA1701I >>> TYPE A
200 Representation type is Ascii NonPrint EZA1701I >>> PASV
227 Entering Passive Mode (10,212,255,3,197,59) EZA1701I >>> LIST
125 List started OK
EZA2284I Volume Unit Referred Ext Used Recfm Lrecl BlkSz Dsorg Dsname
EZA2284I TSTS83 3390 2017/04/26 1 8 FB 80 27920 PO
N.SISP.PROFILE.
EZA2284I TSTS73 3390 2017/09/21 1 12 FB 80 27920 PO
N.SISP.PROFILE.
250 List completed successfully.
EZA1701I >>> TYPE I
200 Representation type is Image
EZA1460I Command:
EZA1736I QUIT
EZA1701I >>> QUIT
221 Quit command received. Goodbye.
Why was the public key needed on SERVER-site? Can we avoid this (to have
the client-cert defined on SERVER-site)?
Extra info :
In FTP.DATA<
https://urldefense.proofpoint.com/v2/url?u=ftp-3A__FTP.DATA&d=DwMGaQ&c=jf_iaSHvJObTbx- \
siA1ZOg&r=r7eqrQPTrezFZjW1SX1mXg&m=h9AAkl7Ym_i7kGx4nYQj4F3CE4o448ip8Qj3fccrYZU&s=9I6JOpPB2ffcURxam_Hp1Eer2BzherI8AnHknQYu9N8&e=
> on server-site, we have :
SECURE_LOGIN VERIFY_USER
SECURE_PASSWORD OPTIONAL
The same ‘problem' occurs when we modify SECURE_LOGIN to REQUIRED.
Please feel free to ask more info if needed.
Many thanks for feedback.
Regards,
Dirk De Bruyne
Any communication and/or information in this message are confidential and
may be privileged or otherwise protected. If you receive it in error,
please inform us and then delete it from your system. You should not copy
or disclose its contents to anyone. Communication is not secure and
information cannot be guaranteed to be error free. Any communication
and/or information are sent without any prejudice.
Any communication and/or information in this message are confidential and
may be privileged or otherwise protected. If you receive it in error,
please inform us and then delete it from your system. You should not copy
or disclose its contents to anyone. Communication is not secure and
information cannot be guaranteed to be error free. Any communication
and/or information are sent without any prejudice.
Any communication and/or information in this message are confidential and may be \
privileged or otherwise protected. If you receive it in error, please inform us and \
then delete it from your system. You should not copy or disclose its contents to \
anyone. Communication is not secure and information cannot be guaranteed to be error \
free. Any communication and/or information are sent without any prejudice.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic