Re: Certificate differences between Z/VM and Z/OS?

Sun, 11 Jun 2023 08:54:20 -0700 

Are you saying...

   1. You have your own CA  (myCA)
   2. You have a certificate (mycertificate) signed by myCA
   3. If you use this certificate you can work with a server not on z/OS or
   z/VM.   This server has its own certificate signed by myCA.
      1. I expect your z/OS has the CA in its keyring so the certificate
      sent from the server can be verified.
      4. You have installed mycertificate on z/VM.
   5. When this tries to connect to the server it gets a problem?


The problem may be the server is sending down its server's CA, but your
z/VM system does not have the myCA installed, and so is unable to verify it.
First check you have the CA certificate available in the trust
store/keystore.

Do you get any diagnostics?

Can you get a wire shark trace of the server - ( and send it to me
privately)

I'm happy to work with you offline

Colin


Colin


On Sun, 11 Jun 2023 at 07:29, Itschak Mugzach <
00000305158ad67d-dmarc-requ...@listserv.ua.edu> wrote:

> I have a certificate signed by an intermediate CA that is self signed (the
> CA certificate). The certificate CN is not specific for a client.
> Now I installed it on Z?OS RACF and it works with no problem against a
> server having a server certificate from the same CA.
> Now I installed the same certificate on Z/VM (gskyman) and tried to connect
> to the same server. The certificate is refused and the server asks for
> renegotiating (which is impossible at TLS 1.2).
>
> Why does that happen? Both certificates are marked TRUSTED.
>
> ITschak
>
>
> *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere
> Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux
> and IBM I **|  *
>
> *|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|*
> *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il  **|*
>
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Reply via email to