Terri, Ive sent you a program to do a better list ring command - it gives details of the certificates instead of just the owner and labels.
Your racf keystore looks OK. It has the CA certificates that it needs. (In https://colinpaice.blog/2020/01/ are other examples I had of CWPKI0022E. As a last resort you might try them. For example some browsers require a certificate with “extendedKeyUsage = clientAuth” during signing, they do not look relevant) *The PKIX path building failed:* looks like a certificate cannot be seen on the server side. Ive seen this when it was expired, or was non trusted, so try checking RACDCERT LISTRING('ACWA Client Cert' ) ID(TSSTESA) and making sure it is trusted. regards Colin On Fri, 13 Aug 2021 at 14:23, Shaffer, Terri < [email protected]> wrote: > Hi Colin, > Yes I read your info and it was super helpful, but I could get past not > having the ability for all PC's to do an HTTPS TLS 1.2 connection from a > browser. > > For example. > > Label:Corporate Root CA > Certificate ID:2QiJmZmDhZmjgcOWmZeWmYGjhUDZlpajQMPB > Status:TRUST > Start Date:2015/08/14 13:27:47 > End Date: 2114/08/14 13:37:46 > Serial Number:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > > Issuer's Name:CN=COV1CERT01VM > Subject's Name:CN=COV1CERT01VM > > Label:Corporate IMMED CA > Certificate ID:2QiJmZmDhZmjgcOWmZeWmYGjhUDJ1NTFxEDDwUBA > Status:TRUST > Start Date:2016/04/25 13:00:14 > End Date: 2114/08/14 13:37:46 > Serial Number:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > > Issuer's Name:CN=COV1CERT01VM > Subject's Name:CN=NRC1CERT03VM.am.tsacorp.com > > Label:ACWA Client Cert > Certificate ID:2Qfj4uLjxeLBwcPmwUDDk4mFlaNAw4WZo0BA > Status:TRUST > Start Date:2021/08/11 08:34:50 > End Date: 2023/08/11 08:34:50 > Serial Number:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > > Issuer's Name:CN=NRC1CERT03VM.am.tsacorp.com > Subject's Name:CN=MFZ900ACWA.AM.TSACORP.COM > > Subject's AltNames: > ,IP:10.x.xx.xxx > ,Domain: MFZ900ACWA.AM.TSACORP.COM > > And lastly my keyring owned by IZUSVR > > Ring: > ,IZUKeyring.IZUDFLT > > Certificate Label Name Cert Owner USAGE DEFAULT > --------------------------------- ----------- -------- -------- > ,Corporate Root CA ,CERTAUTH ,CERTAUTH ,NO > ,Corporate IMMED CA ,CERTAUTH ,CERTAUTH ,NO > ,ACWA Client Cert ,ID(TSSTESA) ,PERSONAL ,YES > > > > Ms Terri E Shaffer > Senior Systems Engineer, > z/OS Support: > ACIWorldwide – Telecommuter > H(412-766-2697) C(412-519-2592) > [email protected] > > -----Original Message----- > From: IBM Mainframe Discussion List <[email protected]> On Behalf > Of Colin Paice > Sent: Friday, August 13, 2021 9:13 AM > To: [email protected] > Subject: Re: z/OSMF Certificates > > External Email > > > Terri, > > I too had problems and wrote A practical guide to getting z/OSMF working < > https://colinpaice.blog/2020/12/21/a-practical-guide-to-getting-z-osmf-working/ > > > it mentions certificates. > > It sounds like someone is trying to connect to your server. The CAs for > this user are not in the server's keyring. > > Can you list your client's certificate and see the CA's for the client > cert? > > on z try > RACDCERT LISTRING(IZUKeyring.IZUDFLT ID(IZUSVR) to see what is in RACF. > > What are you using on your client - browser or python etc? > > regards > > Colin > > On Fri, 13 Aug 2021 at 13:59, Shaffer, Terri < > [email protected]> wrote: > > > So I am no expert when it comes to certificates, So maybe someone can > > shed some light for me. > > > > By default z/OSMF is configured with a CA or ZOSMFCA label. That > > doesn't work or maybe seem to work for me. I can generate a client > > certificate from it and download to me PC but will never establish an > > SSL TLS 1.2 connection. I also done have admin rights, so even if I > > could it would only be for me, at least I think. > > > > So my corporate network team, gave me a root and immediate CA and then > > generated a client certificate for me. > > > > I imported them to RACF as trusted and built my z/OSMF key ring off > > those, which seemed to work... > > > > However now I am getting > > > > [ERROR ] CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN > > CN=xxx.xxx.xxx.xxx my IP > > The signer might need to be added to local trust store > > safkeyringhybrid://IZUSVR/IZUKeyring.IZUDFLT, located in SSL > > configuration alias izuSSLConfig. > > The extended error message from the SSL handshake exception is: PKIX > > path building failed: > > com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid > certification path to requested target. > > > > Which I guess makes sense because my network team gave me all the Certs. > > But is there a way to resolve this so all users get a TLS 1.2 htps > > connection? > > > > Ms Terri E Shaffer > > Senior Systems Engineer, > > z/OS Support: > > ACIWorldwide - Telecommuter > > H(412-766-2697) C(412-519-2592) > > [email protected] > > > > ________________________________ > > [https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg] < > > http://www.aciworldwide.com> This email message and any attachments > > may contain confidential, proprietary or non-public information. The > > information is intended solely for the designated recipient(s). If an > > addressing or transmission error has misdirected this email, please > > notify the sender immediately and destroy this email. Any review, > > dissemination, use or reliance upon this information by unintended > > recipients is prohibited. Any opinions expressed in this email are > > those of the author personally. > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, send > > email to [email protected] with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to [email protected] with the message: INFO IBM-MAIN > ________________________________ > [https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg] < > http://www.aciworldwide.com> > This email message and any attachments may contain confidential, > proprietary or non-public information. The information is intended solely > for the designated recipient(s). If an addressing or transmission error has > misdirected this email, please notify the sender immediately and destroy > this email. Any review, dissemination, use or reliance upon this > information by unintended recipients is prohibited. Any opinions expressed > in this email are those of the author personally. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
