× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Jim,



These two CA will be expiring, 8/21/18.


Certificate

Common name

Expiration date (*MDY)


CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US

GeoTrust Global CA

08/21/18


Equifax Secure Certificate Authority

08/22/18






How can I easily find which applications, if any, our using these CAs?



Paul



-----Original Message-----
From: Steinmetz, Paul
Sent: Monday, March 19, 2018 2:02 PM
To: 'Midrange Systems Technical Discussion'
Subject: RE: V7R3 DCM Certicate Authority root and intermediate updates



Jim,



Very interesting.

Using your sample below, I was able to the root and int CAs for a 3rd party remote site.



Have you taken this to the next level, create a tool that would run this for all SSL connections, convert the output and and store the results in db file?



Paul



-----Original Message-----

From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of JWGrant@xxxxxxxxxxxxxxx<mailto:JWGrant@xxxxxxxxxxxxxxx>

Sent: Monday, March 19, 2018 1:20 PM

To: Midrange Systems Technical Discussion

Subject: RE: V7R3 DCM Certicate Authority root and intermediate updates



I use openssl (on the IBMi) for this very reason.



strqsh (and at the command line issue the openssl client command)



openssl s_client -showcerts -connect www.domain.com:443<http://www.domain.com:443>



Output sample:



openssl s_client -showcerts -connect www.ibm.com:443<http://www.ibm.com:443>



CONNECTED(00000003)

depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com<http://www.digicert.com>, CN = GeoTrust RSA CA 201 verify error:num=20:unable to get local issuer certificate

---

Certificate chain

0 s:/C=US/ST=New York/L=Armonk/O=IBM/CN=www.ibm.com

i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018

-----BEGIN CERTIFICATE-----

MIII0TCCB7mgAwIBAgIQB9pLr+lXOZ8xK2/D1IfIdDANBgkqhkiG9w0BAQsFADBe

MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3

d3cuZGlnaWNlcnQuY29tMR0wGwYDVQQDExRHZW9UcnVzdCBSU0EgQ0EgMjAxODAe

Fw0xODAyMTkwMDAwMDBaFw0xOTAzMjExMjAwMDBaMFUxCzAJBgNVBAYTAlVTMREw

DwYDVQQIEwhOZXcgWW9yazEPMA0GA1UEBxMGQXJtb25rMQwwCgYDVQQKEwNJQk0x

FDASBgNVBAMTC3d3dy5pYm0uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB

CgKCAQEAyKo2t2YSMci2XsvAS2wi9qQbudlS5iEA7vmRsc570PuNWGaxo4hHk7I4

FK0DRNUcJL2Gh15nmmm+uKDA/Le/9hf7OlOKEGD5mSZ7NmOT2w776CBAtrDLTexz

fMnr8PjoowR244H80JZLZhBrhN1nsgDal0Fq3WQUKVpNnCi1s50gJjDBLu9knL65

KHBlkK+0/vE/dIvIsgsVhwBBXmFAkZrYM4GFxSuFVoyQDUbjymt9g0mVA11hGhjd

+/IqNaMC/2nRBhJLVF6hycyRydqpUGbyueBqurnZBZsKNyWtVnJYjcz0NWYjV6OD

ZHcC0eNE7MY4hJ5JjeYhPK5V/ME2QwIDAQABo4IFkjCCBY4wHwYDVR0jBBgwFoAU

kFj/sJx1qFFUd7Ht8qNDFjiebMUwHQYDVR0OBBYEFIEb0vIrc/yGdu0Z2v5bA1FS

qcuPMIIDAwYDVR0RBIIC+jCCAvaCC3d3dy5pYm0uY29tggdpYm0uY29tghJjbGll

bnQtcHJlLmlibS5jb22CDW15aWJtLmlibS5jb22CEXVzbXIuY21zLnM4MWMuY29t

gg53d3ctMDUuaWJtLmNvbYIPdXMuY21zLnM4MWMuY29tghN3d3d0ZXN0LWFwaS5p

Ym0uY29tghN0aGluay1zdGFnZS5pYm0uY29tgg93d3ctMTEyLmlibS5jb22CD2Fw

LmNtcy5zODFjLmNvbYILbXAuczgxYy5jb22CFXd3dy5kZXZlbG9wZXIuaWJtLmNv

bYIQd3d3c3RhZ2UuaWJtLmNvbYITMS5jbXNzdGFnZS5zODFjLmNvbYIUd3d3c3Rh

Z2UtYXBpLmlibS5jb22CEGFwaS53d3cuczgxYy5jb22CD3d3dy0zNTYuaWJtLmNv

bYIPd3d3LWFwaS5pYm0uY29tgg53d3ctMDYuaWJtLmNvbYIOY2xpZW50LmlibS5j

b22CCW0uaWJtLmNvbYIPZXUuY21zLnM4MWMuY29tghR3d3ctOTY5c3RhZ2UuaWJt

LmNvbYIRZGV2ZWxvcGVyLmlibS5jb22CEjEuY21zdGVzdC5zODFjLmNvbYIPd3d3

LTkzNS5pYm0uY29tgg93d3d0ZXN0LmlibS5jb22CEzEuZGFtc3RhZ2UuczgxYy5j

b22CDnd3dy0wMS5pYm0uY29tggthcGkuaWJtLm5ldIINdGhpbmsuaWJtLmNvbYI

MS5kYW0uczgxYy5jb22CDnd3dy0wNy5pYm0uY29tgg4xLmNtcy5zODFjLmNvbYI

d3d3LTAzLmlibS5jb22CEzEud3d3c3RhZ2UuczgxYy5jb22CDjEud3d3LnM4MWM

Y29tggt3d3cubmljLmlibYIRMS5jbXNwb2MuczgxYy5jb22CEmNsaWVudC1jZHQ

aWJtLmNvbYIOd3d3cG9jLmlibS5jb22CD3d3dy05NjkuaWJtLmNvbYIQd3d3LTI

MDAuaWJtLmNvbTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwE

CCsGAQUFBwMCMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly9jZHAuZ2VvdHJ1c3Q

Y29tL0dlb1RydXN0UlNBQ0EyMDE4LmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/Ww

ATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAg

BmeBDAECAjB1BggrBgEFBQcBAQRpMGcwJgYIKwYBBQUHMAGGGmh0dHA6Ly9zdGF

dXMuZ2VvdHJ1c3QuY29tMD0GCCsGAQUFBzAChjFodHRwOi8vY2FjZXJ0cy5nZW9

cnVzdC5jb20vR2VvVHJ1c3RSU0FDQTIwMTguY3J0MAkGA1UdEwQCMAAwggEEBgo

BgEEAdZ5AgQCBIH1BIHyAPAAdwCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80

yA3cEAAAAWGwB/7vAAAEAwBIMEYCIQDOazkJq+N0anorzX70OWKcgcunHlKnNxe

BzsSUYl4WAIhAPMUqVkgaJSWCDdNDSFn/u6cL0+ejto2F/XsIs9wmHMwAHUAh3W

51l8+IxDmV+9827/Vo1HVjb/SrVgwbTq/16ggw8AAAFhsAf/SgAABAMARjBEAiA

YckuyHana2MPXT6SWWcGV1aW4uKsEMQYaUczWCkNGQIgekcjpvWzF16Kis+CXpf

nEQ4Pa8n+cO4nNEz4MgRjwswDQYJKoZIhvcNAQELBQADggEBADZ5B5h/V3GWmEcM

iPlBoVJWpAHT3OupRwNTOi/V70Fmv2yLdIqnqD+cxpszencJyGlwFJsT6HcVy5jU

ABF8giZHpwOYm8vVZZ+JzcjSNoB2sdJS2jo5KgoQD+En08JqwXuTcK+IjEGFMVvg

SvJrdAdcWtwJS/ndIwxZDGPPpZgeGy8cBQijwEQo5KL1Vb8cSoanD2mNWGfeuR4q

0BP3Du5uSBKJRiFk+ttQyfd/6DYR7J8lGpx/SQfGAx5JcdfyGSOa3KO8Dz6O/FLQ

97ONoLas6O7XNzL9W0LmRSwQgztgWQYXHhrGH55+wdaDFm3CMI9exh8TpYPeXZbK

gLLfjN0=

-----END CERTIFICATE-----

1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018

i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA -----BEGIN CERTIFICATE-----

MIIEizCCA3OgAwIBAgIQBUb+GCP34ZQdo5/OFMRhczANBgkqhkiG9w0BAQsFADBh

MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3

d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD

QTAeFw0xNzExMDYxMjIzNDVaFw0yNzExMDYxMjIzNDVaMF4xCzAJBgNVBAYTAlVT

MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j

b20xHTAbBgNVBAMTFEdlb1RydXN0IFJTQSBDQSAyMDE4MIIBIjANBgkqhkiG9w0B

AQEFAAOCAQ8AMIIBCgKCAQEAv4rRY03hGOqHXegWPI9/tr6HFzekDPgxP59FVEAh

150Hm8oDI0q9m+2FAmM/n4W57Cjv8oYi2/hNVEHFtEJ/zzMXAQ6CkFLTxzSkwaEB

2jKgQK0fWeQz/KDDlqxobNPomXOMJhB3y7c/OTLo0lko7geG4gk7hfiqafapa59Y

rXLIW4dmrgjgdPstU0Nigz2PhUwRl9we/FAwuIMIMl5cXMThdSBK66XWdS3cLX18

4ND+fHWhTkAChJrZDVouoKzzNYoq6tZaWmyOLKv23v14RyZ5eqoi6qnmcRID0/i6

U9J5nL1krPYbY7tNjzgC+PBXXcWqJVoMXcUw/iBTGWzpwwIDAQABo4IBQDCCATww

HQYDVR0OBBYEFJBY/7CcdahRVHex7fKjQxY4nmzFMB8GA1UdIwQYMBaAFAPeUDVW

0Uy7ZvCj4hsbw5eyPdFVMA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEF

BQcDAQYIKwYBBQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADA0BggrBgEFBQcBAQQo

MCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBCBgNVHR8E

OzA5MDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9i

YWxSb290Q0EuY3JsMD0GA1UdIAQ2MDQwMgYEVR0gADAqMCgGCCsGAQUFBwIBFhxo

dHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA0GCSqGSIb3DQEBCwUAA4IBAQAw

8YdVPYQI/C5earp80s3VLOO+AtpdiXft9OlWwJLwKlUtRfccKj8QW/Pp4b7h6QAl

ufejwQMb455OjpIbCZVS+awY/R8pAYsXCnM09GcSVe4ivMswyoCZP/vPEn/LPRhH

hdgUPk8MlD979RGoUWz7qGAwqJChi28uRds3thx+vRZZIbEyZ62No0tJPzsSGSz8

nQ//jP8BIwrzBAUH5WcBAbmvgWfrKcuv+PyGPqRcc4T55TlzrBnzAzZ3oClo9fTv

O9PuiHMKrC6V6mgi0s2sa/gbXlPCD9Z24XUMxJElwIVTDuKB0Q4YMMlnpN/QChJ4

B0AFsQ+DU0NCO+f78Xf7

-----END CERTIFICATE-----

---

Server certificate

subject=/C=US/ST=New York/L=Armonk/O=IBM/CN=www.ibm.com

issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018

---

No client certificate CA names sent

Peer signing digest: SHA256

Server Temp Key: ECDH, P-256, 256 bits

---

SSL handshake has read 4085 bytes and written 432 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

Protocol : TLSv1.2

Cipher : ECDHE-RSA-AES256-GCM-SHA384

Session-ID:

B1E3D99FD3A10E41C6D3D7FBA4D9E0BC54DF136B9A146258D3FFB30E89EC9E60

Session-ID-ctx:

Master-Key:

478BE72A6CEEE7BB1A1B6F07D7C4BD6E39B5338B633A2BFED675D213A2D7E55CCBF6FCF74D83FBD39BA0B437D1062901

Key-Arg : None

PSK identity: None

PSK identity hint: None

SRP username: None

TLS session ticket lifetime hint: 7200 (seconds)

TLS session ticket:

0000 - 00 00 0b 3a 86 02 fc ef-a4 70 20 c8 a8 8e 0c 71 ...:.....p

....q

0010 - 20 8b 85 9b 10 01 f6 32-2a 36 9e 37 2a a4 4d b4 ......2*6.7*.M.



0020 - 63 41 07 98 e4 88 f7 84-3b 5b 33 ae 0d 08 83 02 cA......;[3.....

0030 - be 73 eb 84 9b 2d 2b 98-26 6e d4 7e 7b 09 a8 8b .s...-+.&n.~{...

0040 - 94 4e 86 38 77 71 91 fe-d4 77 5c 23 e5 e7 dc ac .N.8wq...w\#....

0050 - 65 42 77 05 0c 69 f3 9a-84 14 8c 3d 33 2a 54 41 eBw..i.....=3*TA

0060 - fa 3b 46 45 b7 b8 bc 69-73 b6 3f 23 a9 68 a3 3c .;FE...is.?#.h.<

0070 - 65 a8 ea 73 41 ab 5e b1-58 e0 0d a3 3a 88 23 51 e..sA.^.X...:.#Q

0080 - b8 96 38 12 6b 09 0b e1-aa 05 8d d0 09 7e ba 3c ..8.k........~.<

0090 - d1 0a 46 af 11 4f 69 3e-c9 9f 1f 14 e7 cd 26 cd ..F..Oi>......&.



Start Time: 1521479792

Timeout : 300 (sec)

Verify return code: 20 (unable to get local issuer certificate)

---

closed

$





Jim W Grant

Senior VP, Chief Information Officer

Web: www.pdpgroupinc.com<http://www.pdpgroupinc.com>









From: "Steinmetz, Paul" <PSteinmetz@xxxxxxxxxx<mailto:PSteinmetz@xxxxxxxxxx>>

To: "'midrange-l@xxxxxxxxxxxx'" <midrange-l@xxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxx>>

Date: 03/19/2018 10:55 AM

Subject: RE: V7R3 DCM Certicate Authority root and intermediate

updates

Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx<mailto:midrange-l-bounces@xxxxxxxxxxxx>>







I run a TRCINT TRCTYPE > *SCKSSL as needed to monitor the SSL

traffic.



Command to execute is:

TRCINT SET(*ON) TRCTBL('SSL-1700x') SIZE(512 *MB) TRCFULL(*STOPTRC)

TRCTYPE(*SCKSSL) SLTTRCPNT((17000 17009)).



However, the SCKSSL trace does not include the SSL certs used, only the below.



To the best of my knowledge, there is no tool/method to confirm which SSL certs or CAs are being used on the i.



A spooled file named QPCSMPRT is created for the user that ran the TRCINT

SET(*OFF) command. Submit the TRCINT SET(*OFF) command to a background job when you are managing a large trace capture. The following trace point output outlines the connection properties included in the trace point.



SOCKETS IDENTIFIER : SC#17003 TIME

02/17/15 11:03:33.151908 TDE# 000000003C94

#1 ( 21) +0000 C3D6D5D5C5C3E3C9 D6D540D7D9D6D7C5 D9E3C9C5E2

*CONNECTION PROPERTIES

#2 ( 7) +0000 E3D3E2E5F14BF1 *TLSV1.1

#3 ( 28) +0000 E3D3E26DD9E2C16D E6C9E3C86DC1C5E2

6DF1F2F86DC3C2C3 6DE2C8C1 *TLS_RSA_WITH_AES_128_CBC_SHA

#4 ( 10) +0000 D3D6C3C1D340D7D6 D9E3 *LOCAL PORT

#5 ( 3) +0000 F9F9F2 *992

#6 ( 16) +0000 D3D6C3C1D340C9D7 40C1C4C4D9C5E2E2 *LOCAL

IP ADDRESS

#7 ( 20) +0000 7A7A868686867AF1 F9F84BF5F14BF1F0 F04BF1F5

*::ffff:198.51.100.15

#8 ( 11) +0000 D9C5D4D6E3C540D7 D6D9E3 *REMOTE PORT

#9 ( 5) +0000 F6F1F8F5F2 *61852

#10 ( 17) +0000 D9C5D4D6E3C540C9 D740C1C4C4D9C5E2 E2

*REMOTE IP ADDRESS

#11 ( 20) +0000 7A7A868686867AF1 F9F84BF5F14BF1F0 F04BF1F6

*::ffff:198.51.100.16

#12 ( 16) +0000 E3D5C1C3C3C5D7E3 E3C1E2D240404040

*TNACCEPTTASK

#13 ( 22) +0000 D8C9C2D46DD8E3E5 6DE3C5D3D5C5E36D E2C5D9E5C5D9

*QIBM_QTV_TELNET_SERVER



The following information is in the trace point entry data:



Protocol Negotiated

Cipher suite Negotiated

Local port and IP address

Remote port and IP address

Job/Task/Device name

Application ID (if used)



Paul



-----Original Message-----

From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Raul Jager

Sent: Monday, March 19, 2018 10:03 AM

To: midrange-l@xxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxx>

Subject: Re: V7R3 DCM Certicate Authority root and intermediate updates



It is a very simple procedure to install the root cert, easier than applying a PTF. I do not think it is a good idea to install automatically all the cert, rather install only the ones I need.



It will be a good idea to delete the old one (probably VeriSign)





On 03/19/2018 10:34 AM, Steinmetz, Paul wrote:

We had a 3rd party application update their SSL wildcard cert this

past

Saturday.

Our application failed with below errors.



SSL_Handshake() error [IBM -23]: Certificate is not signed by a

trusted

certificate authority.

Error 51: SSL peer certificate or SSH remote key was not OK Closing

connection #0 SSL peer certificate or SSH remote key was not OK



Their new cert required us to have the below root and intermediate CA

added to our system store.



DigiCertGlobalRootCA.crt

DigiCertSHA2SecureServerCA.crt



The folks that maintain SSL for our Windows and Linux servers stated

these CA updates are automatic and included with their OS updates.



My doesn't IBM do the same for i?

Have new and updated CAs applied to system store via PTFs.



Or are there any processes/procedures to be more proactive for future

SSL updates?



Thank You

_____

Paul Steinmetz

IBM i Systems Administrator



Pencor Services, Inc.

462 Delaware Ave

Palmerton Pa 18071



610-826-9117 work

610-826-9188 fax

610-349-0913 cell

610-377-6012 home



psteinmetz@xxxxxxxxxx<mailto:psteinmetz@xxxxxxxxxx<mailto:psteinmetz@xxxxxxxxxx%3cmailto:psteinmetz@xxxxxxxxxx>>

http://www.pencor.com/







-- Este e-mail fue enviado desde el Mail Server del diario ABC Color --

-- Verificado por Anti-Virus Corporativo Symantec --

--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe, unsubscribe, or change list options,

visit: https://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a moment to review the archives at https://archive.midrange.com/midrange-l.



Please contact support@xxxxxxxxxxxx<mailto:support@xxxxxxxxxxxx> for any subscription related questions.



Help support midrange.com by shopping at amazon.com with our affiliate

link: http://amzn.to/2dEadiD

--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe, unsubscribe, or change list options,

visit: https://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a moment to review the archives at https://archive.midrange.com/midrange-l.



Please contact support@xxxxxxxxxxxx<mailto:support@xxxxxxxxxxxx> for any subscription related questions.



Help support midrange.com by shopping at amazon.com with our affiliate

link: http://amzn.to/2dEadiD





--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe, unsubscribe, or change list options,

visit: https://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a moment to review the archives at https://archive.midrange.com/midrange-l.



Please contact support@xxxxxxxxxxxx<mailto:support@xxxxxxxxxxxx> for any subscription related questions.



Help support midrange.com by shopping at amazon.com with our affiliate link: http://amzn.to/2dEadiD

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.