1) I restored the system store, DEFAULT.*DB, from backup.
2) I reimported the new wild card .pfx, selecting server certificate, this was successful.
Now I need to test the new wild card sha256 cert.
What is the easiest and fasted test for this?
Paul
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of AHoerle@xxxxxxxxxxxxx
Sent: Thursday, January 22, 2015 9:16 AM
To: Midrange Systems Technical Discussion
Subject: Re: DCM SSL sha1 / sha256 cert issues
Paul,
We just updated to SHA2 certificates last month. We didn't run into any problems, but they were standard (not wildcard) certificates.
Good luck!
Amy Hoerle
System Administrator
Think Mutual Bank
5200 Members Pkwy NW, Box 5949
Rochester, MN 55901
507-536-5815 or
800-288-3425 Ext 5815
ahoerle@xxxxxxxxxxxxx
From: "Steinmetz, Paul" <PSteinmetz@xxxxxxxxxx>
To: "'Midrange Systems Technical Discussion'"
<midrange-l@xxxxxxxxxxxx>
Date: 01/21/2015 07:55 PM
Subject: DCM SSL sha1 / sha256 cert issues
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>
I recently received a request from our security folks that we need to update/reissue our wildcard cert from sha1 to sha256 due to new browser requirements..
http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html
I was given the new wildcard cert, (Int CA, cert, private key), but they failed to import to DCM.
I opened a PMR with IBM, to may a long story short, because DCM did not have the DCR, the cert will not import.
Per IBM support, you need to import the new certificate into the store which generated the DCR.
Once this is completed, export the certificate from the certificate store and then I will be able to import into a different store.
Our security folks sent me this link along with a new .pfx file
http://www-01.ibm.com/support/docview.wss?uid=nas8N1019818
I was reluctant to import using this method.
I normally import either .pem or .cer individually, never from a .pfx file.
The import was successful, new intermediate CA ok, however, the new sha256 cert had no label.
Because the new imported cert has no label, it is not useable, cannot delete, no fix available from IBM.
Problem is IBM doc above, N1019818, had you import the pfx into a CA.
When you import into a CA, there is no prompt for a label.
Instead, you should import into Server/Client, which will prompt to enter a label.
Cannot re-import, duplicate.
Current workaround from IBM.
Restore the DCM system store from backup. These would be the steps:
1. WRKLNK '/qibm/UserData/ICSS/Cert/Server/DEFAULT.KDB' and take option 7 to rename. Call it DEFAULT.KDB.OLD 2. WRKLNK '/qibm/UserData/ICSS/Cert/Server/DEFAULT.RDB' and take option 7 to rename. Call it DEFAULT.RDB.OLD 3. Restore the /qibm/UserData/ICSS/Cert/Server/DEFAULT.RDB and /qibm/UserData/ICSS/Cert/Server/DEFAULT.KDB files from backup
There is a recent PTF, SI55542, which addresses the blank label issue.
I don't work with DCM and certs all that often, it is never fun.
Anyone else experiencing/dealing with the sha1 to sha256 cert, SSL, DCM issues?
Thank You
_____
Paul Steinmetz
IBM i Systems Administrator
Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071
610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home
psteinmetz@xxxxxxxxxx
http://www.pencor.com/
midrange.com
