[prev in list] [next in list] [prev in thread] [next in thread]
List: racf-l
Subject: Re: [IBM External] Re: ENTITY CERT not working in CICS SSL
From: Bobby Sagami <bobby_sagami () NA ! HONDA ! COM>
Date: 2021-10-13 19:15:21
Message-ID: OSBPR01MB50780ECE5D916A0F6F5EAD87C3B79 () OSBPR01MB5078 ! jpnprd01 ! prod ! outlook ! com
[Download RAW message or body]
Hi Wai!
The current EE cert was provided by our client to connect to our CICS SSL webservice. \
The EE cert is linked to a RACF userid as trusted, it is not in any keyring, but \
listchain confirms both inter and root is in the keyring used for CICS SSL region. \
User able to connect to CICS:
Chain information:
Chain contains 3 certificate(s), chain is complete
Chain contains no ring in common
A new EE cert forwarded to us from client because current expires soon. I did a \
RACDCERT ADD TRUST from a dataset sent containing new EE cert. Listchain shows \
incomplete. Client says same root cert used as previous but different intercert, so \
I added the diff intercert to the CICS keyring. Listchain still shows incomplete:
Chain information:
Chain contains 1 certificate(s), chain is incomplete
Chain contains no ring in common
RACDCERT CHECKCERT of the new EE:
Certificate 1:
Digital certificate information for user DPUSERP:
Label: DATAPOWER 2021
Certificate ID: 2QfE1+TixdnXxMHjwdfW5sXZQPLw8vFA
Status: TRUST
Start Date: 2021/09/12 17:00:00
End Date: 2022/09/13 16:59:59
Serial Number:
>00BBB0BXXXXXXXXXXXXXXXXXXXXXXXXXX<
Issuer's Name:
>CN=Sectigo RSA Extended Validation Secure Server CA.O=Sectigo Limited<
>.L=Salford.SP=Greater Manchester.C=GB<
Subject's Name:
>CN=ws.hondaweb.com.O=American Honda Motor Co., Inc..SP=California.C=U<
>S.Private Organization.California.US.C0377249<
Subject's AltNames:
Domain: ws.hondaweb.com
Signing Algorithm: sha256RSA
Key Usage: HANDSHAKE
Key Type: RSA
Key Size: 2048
Private Key: NO
Chain information:
Chain contains 1 certificate(s), chain is incomplete
***
Only thing I see different between current and new EE cert is different inter cert, \
which i added to keyring, which shows CERT OWNER SITE. The working EE uses \
INTERMFTxxxx shows CERT OWNER CERTAUTH. does that make a difference? The manuals \
say just the USAGE must be CERTAUTH, nothing about CERT OWNER. Unfortunately this \
inter cert used in other keyrings I hesitate to delete/add as CERT OWNER CERTAUTH:
Ring:
>A001_SSL_RING<
Certificate Label Name Cert Owner USAGE DEFAULT
-------------------------------- ------------ -------- -------
A001_CICS_SSL ID(xxxx) PERSONAL YES
ROOTxxxxxxxxxxxxxx CERTAUTH CERTAUTH NO
INTERMFTxxxx CERTAUTH CERTAUTH NO
DPINTERxxxxx SITE CERTAUTH NO << added
-----Original Message-----
From: RACF Discussion List <RACF-L@LISTSERV.UGA.EDU> On Behalf Of Wai Choi
Sent: Tuesday, October 12, 2021 5:53 AM
To: RACF-L@LISTSERV.UGA.EDU
Subject: Re: [IBM External] Re: ENTITY CERT not working in CICS SSL
Bob,
I am confused by the information provided. You said 'Both good and bad EE certs are \
not in any keyring'. SSL won't work without a keyring. And you also showed the certs \
in keyring A001_SSL_RING. What is this keyring to do with your set up?
Is A001_CICS_SSL the new EE cert or the old one?
Are you going to use the same keyring A001_SSL_RING that contains the new EE cert?
BTW, LISTCHAIN would show the issuer if the owner is the same as that of the EE cert \
OR if the issuer is CERTAUTH. How did you get the EE cert? From RACDCERT GENCERT \
directly in the system or from RACDCERT ADD from a dataset sent to you from another \
system? If you have the dataset, you may do a RACDCERT CHECKCERT(<dataset set that \
contains the EE cert>)and show us the output.
Regards,
Wai
Wai Choi - RACF/PKI Design and Development
From: "Bobby Sagami" <bobby_sagami@NA.HONDA.COM>
To: RACF-L@LISTSERV.UGA.EDU
Date: 10/06/2021 10:42 PM
Subject: [IBM External] Re: ENTITY CERT not working in CICS SSL
Sent by: "RACF Discussion List" <RACF-L@LISTSERV.UGA.EDU>
Hi Del, thanks again!
I issued listchain command on the DPINTERXXXX as you mention, although format of the \
command slight different from what you posed because the owner is irrsitec. It shows \
chain is good and linked to the root cert only, so I believe it's a inter legit cert \
being used today in listed keyrings:
RACDCERT LISTCHAIN (LABEL('DPINTxxxxxx')) site
Chain information:
Chain contains 2 certificate(s), chain is complete
Chain contains ring in common: EDICERT/AHMxxx
Chain contains ring in common: PROD/COMxxx
Chain contains ring in common: PROD/A001_SSL_xxx
Listchain on the new EE cert is where I get chain incomplete.
Both good and bad EE certs are not in any keyring, its linked to a RACF id in \
DIGTCERT class as trusted.
EE certs:
Owner Digital certificate labels Trust
DPUSERP DATAPxxx 2021 Yes <<<< don't work
DPUSERP1 DPxxxx Yes <<<< works
The inter in question used in other keyrings so I hesitate delete/reimport just to \
change owner from SITE to CERTAUTH:
Ring:
>A001_SSL_RING<
Certificate Label Name Cert Owner USAGE DEFAULT
-------------------------------- ------------ -------- -------
A001_CICS_SSL ID(xxxx) PERSONAL YES
ROOTxxxxxxxxxxxxxx CERTAUTH CERTAUTH NO
INTERMFTxxxx CERTAUTH CERTAUTH NO <<
inter cert work w/current EE cert
DPINTERxxxxx SITE CERTAUTH NO <<
inter cert used by new EE cert fails
Being unfamiliar with creating EE certs, can they create it linked to INTERMFTxxxx \
and its ROOTxxxxxx? Those are what current working EE cert are chained to and it \
works...bobby
-----Original Message-----
From: RACF Discussion List <RACF-L@LISTSERV.UGA.EDU> On Behalf Of Del Sumbillo
Sent: Monday, October 04, 2021 10:16 PM
To: RACF-L@LISTSERV.UGA.EDU
Subject: Re: ENTITY CERT not working in CICS SSL
Thank you Walt for writing the snippet of the guide related to this subject. Bobby, \
you should be able to correct your install based on all the info provided. As far as \
I know, even if you have DPINTERxxxxx on other rings, it will still not be usable for \
chaining the EEC to root. If you issue racdcert certauth listchain(label('label of \
dpinterxxxxx')), my understanding is you will get a 'No matching certificate was \
found for this user' message.
Regards,
Del
On Tue, Oct 5, 2021 at 4:39, Walt Farrell<walt.farrell@GMAIL.COM> wrote:
On 10/4/2021 3:29 PM, Bobby Sagami wrote:
> HI Del, the DPINTERxxxx is OWNED by IRRSITEC, and USAGE is CERTAUTH
>
> So it appears my original thought, inter cert imported as IRRSITEC is
screwing up my chain even though the USAGE is correct? couldn't find this in the \
internet thus I questioned as this cert is defined in other keyrings makes it \
difficult to reimport as IRRCERTA as owner.
>
> You mention "owned by irrsitec instead of irrsitea"...i wasn't aware
> of
a irrsitea, I only see irrsitec owned certs.
Probably meant irrcerta.
From the Security Administrator's Guide:
> The irrcerta, irrmulti, and irrsitecuser IDs are definedin USER
> profilesthat are supplied with RACF and cannot be definedby your
> installation. They are used to anchor certain profilesin the DIGTCERT
> and DIGTNMAP class that are not associated with individual user IDs,
> and cannot be used for any other purpose.
> • User certificatesthat you add using the RACDCERT ADD command with
> the CERTAUTH option are automatically associated with the user ID
> irrcerta.
> • User certificatesthat you add using the RACDCERT ADD command with
> the SITE option are automatically associated with the RACF user ID
> irrsitec.
--
Walt
Confidentiality Notice: This transmission (including any attachments) may contain \
confidential information belonging to the sender and is intended only for the use of \
the party or entity to which it is addressed. If you are not the intended recipient, \
you are hereby notified that any disclosure, copying, distribution, retention or the \
taking of action in reliance on the contents of this transmission is strictly \
prohibited. If you have received this transmission in error, please immediately \
notify the sender and erase all information and attachments.
Confidentiality Notice: This transmission (including any attachments) may contain \
confidential information belonging to the sender and is intended only for the use of \
the party or entity to which it is addressed. If you are not the intended recipient, \
you are hereby notified that any disclosure, copying, distribution, retention or the \
taking of action in reliance on the contents of this transmission is strictly \
prohibited. If you have received this transmission in error, please immediately \
notify the sender and erase all information and attachments.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic