× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. LINUX5250
  3. November 2001

RE: SSL Client Certs Added


On Wed, 7 Nov 2001, Sean Porterfield wrote:

> Scott,
>
> Did you test with a client cert but without the client cert required on the
> AS/400?  When I tried mine, it did nothing.  I used the "verify CA" and it
> worked fine.  Just when I added the client cert parameter did it fail.

It you use a trace file, it should be putting diagnostic info into that
file.  (If you can't figure it out, send me a copy of the trace file)

I did test with the client cert, both with it required on the AS/400 and
without it required on the AS/400.   It worked in both cases...  When the
AS/400 didn't require the client cert, tn5250 didn't send it to the
AS/400, so it didn't actually have any affect -- the session just worked.

Also, it may help to note that certificates are "signed" by certificate
authorities.  Your AS/400, or your OpenSSL, may be rejecting the client
certificate that's assigned if it doesn't recognize the certificate
authority that signed it.   In that case, you'll need to use the
ssl_ca_file= option to tn5250 to also supply the certificate authority's
certificate.   I don't know if this is what's happening, but... I thought
it'd be worth mentioning.

> On another note, I had to follow your directions for creating a client cert
> even though I had already created one previously...  I couldn't figure out
> how to get my other one off the AS/400!  (I have it installed on MSIE at
> work, but that didn't seem to be a compatible format.)  No big deal really.

I tried to make it work with MSIE, but MSIE kept giving me an error
message so I gave up :(   Probably, my copy of MSIE is screwed, I should
probably play with that some more.   Netscape seemed a better choice
anyway, since it's available for Linux.

>
> I can't turn on the "require certificate" on the AS/400 yet because I have
> too many real users who don't have client certs.  I couldn't get DCM to
> create a cert except for the user who is signed on, and I don't want all of
> my users using DCM!  (<sarcasm>Thanks IBM</sarcasm>)
>

I wrote a proxy that listens on a different port on the AS/400 that
requires a client certificate, then proxies all of the data to port 23,
so that I could allow both the "client authenticated" and "normal SSL"
client's at the same time.  :)   It's written in RPG IV, I could send
you a copy if you're interested.  (it requires V4R5 & certain PTFs)

I did my testing with the "real telnet server" with client authentication
on the weekends when nobody was using the system.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.