× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



1) I restored the system store, DEFAULT.*DB, from backup.
2) I reimported the new wild card .pfx, selecting server certificate, this was successful.

Now I need to test the new wild card sha256 cert.
What is the easiest and fasted test for this?

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of AHoerle@xxxxxxxxxxxxx
Sent: Thursday, January 22, 2015 9:16 AM
To: Midrange Systems Technical Discussion
Subject: Re: DCM SSL sha1 / sha256 cert issues

Paul,

We just updated to SHA2 certificates last month. We didn't run into any problems, but they were standard (not wildcard) certificates.

Good luck!



Amy Hoerle
System Administrator
Think Mutual Bank
5200 Members Pkwy NW, Box 5949
Rochester, MN 55901

507-536-5815 or
800-288-3425 Ext 5815
ahoerle@xxxxxxxxxxxxx



From: "Steinmetz, Paul" <PSteinmetz@xxxxxxxxxx>
To: "'Midrange Systems Technical Discussion'"
<midrange-l@xxxxxxxxxxxx>
Date: 01/21/2015 07:55 PM
Subject: DCM SSL sha1 / sha256 cert issues
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



I recently received a request from our security folks that we need to update/reissue our wildcard cert from sha1 to sha256 due to new browser requirements..

http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html


I was given the new wildcard cert, (Int CA, cert, private key), but they failed to import to DCM.
I opened a PMR with IBM, to may a long story short, because DCM did not have the DCR, the cert will not import.
Per IBM support, you need to import the new certificate into the store which generated the DCR.
Once this is completed, export the certificate from the certificate store and then I will be able to import into a different store.

Our security folks sent me this link along with a new .pfx file
http://www-01.ibm.com/support/docview.wss?uid=nas8N1019818

I was reluctant to import using this method.
I normally import either .pem or .cer individually, never from a .pfx file.

The import was successful, new intermediate CA ok, however, the new sha256 cert had no label.
Because the new imported cert has no label, it is not useable, cannot delete, no fix available from IBM.

Problem is IBM doc above, N1019818, had you import the pfx into a CA.
When you import into a CA, there is no prompt for a label.
Instead, you should import into Server/Client, which will prompt to enter a label.
Cannot re-import, duplicate.

Current workaround from IBM.

Restore the DCM system store from backup. These would be the steps:

1. WRKLNK '/qibm/UserData/ICSS/Cert/Server/DEFAULT.KDB' and take option 7 to rename. Call it DEFAULT.KDB.OLD 2. WRKLNK '/qibm/UserData/ICSS/Cert/Server/DEFAULT.RDB' and take option 7 to rename. Call it DEFAULT.RDB.OLD 3. Restore the /qibm/UserData/ICSS/Cert/Server/DEFAULT.RDB and /qibm/UserData/ICSS/Cert/Server/DEFAULT.KDB files from backup

There is a recent PTF, SI55542, which addresses the blank label issue.

I don't work with DCM and certs all that often, it is never fun.
Anyone else experiencing/dealing with the sha1 to sha256 cert, SSL, DCM issues?

Thank You
_____
Paul Steinmetz
IBM i Systems Administrator

Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071

610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home

psteinmetz@xxxxxxxxxx
http://www.pencor.com/








As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.