Re: SMP/E RECEIVE ORDER Certificates

Mon, 27 Aug 2018 07:17:02 -0700 

On 8/25/2018 5:35 PM, Ed Jaffe wrote:

On 8/25/2018 10:28 AM, Jesse 1 Robinson wrote:
No Lone Ranger in Phoenixland. Same thing happened to us. This failure started during the day on Thursday 23rd. It was OK in the morning, failing in the afternoon. We waited till next day to open an SR in case it was one of those transient problems. You know the kind. We got the advice in SR to issue this command: 

racdcert list(serial(023456)) certauth


What we were to look for was Status: TRUST plus association to SMPE 
Key Ring. The certificate was there but as NOTRUST with no 
associations at all. We had not changed anything on our side since we 
added the GeoTrust Global CA certificate months ago. Until Thursday it 
was working.



The fix was to modify the cert to TRUST and add the SMPE keyring. Now 
it's working fine. We may have overlooked some details when we added 
the cert. BTW the serial '023456' was not mentioned in our SR doc, but 
RACF knew it.



Wow! We needed to issue:  RACDCERT CERTAUTH ALTER(LABEL('GeoTrust Global 
CA')) TRUST



The procedure is documented here: 
https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.gim3000/ecacert.htm 


Ah, I think I know what happened.  Please allow me to explain:

During the handshake for a secure connection the server sends a complete 
certificate chain to your SMP/E client.  Prior to Thursday, this 
complete chain looked something like this:


1. eccgw01.boulder.ibm.com
2. GeoTrust SSL CA - G3
3. GeoTrust Global CA
4. Equifax/Equifax Secure Certificate Authority


The client examines the certificate chain and looks for matching and 
trusted certificates in its truststore.  If the client's truststore 
contains and trusts any of the certificates in the chain, then the 
connection with the server is trusted.



This means, if you had either the Equifax CA or the GeoTrust Global CA 
in your truststore, then the connection with the server will be trusted.



On or about Wednesday, the Equifax CA certificate expired, and that last 
hop in the certificate chain was no longer being sent to the client. 
Hence, if you did not have the GeoTrust Global CA in your truststore, 
your connection to the server failed with an SSLHandshake error.


Kurt Quackenbush -- IBM, SMP/E Development

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN






















					Reply via email to