× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. March 2018

RE: V7R3 DCM Certicate Authority root and intermediate updates

I run a TRCINT TRCTYPE > *SCKSSL as needed to monitor the SSL traffic.

Command to execute is:
TRCINT SET(*ON) TRCTBL('SSL-1700x') SIZE(512 *MB) TRCFULL(*STOPTRC) TRCTYPE(*SCKSSL) SLTTRCPNT((17000 17009)).

However, the SCKSSL trace does not include the SSL certs used, only the below.

To the best of my knowledge, there is no tool/method to confirm which SSL certs or CAs are being used on the i.

A spooled file named QPCSMPRT is created for the user that ran the TRCINT SET(*OFF) command. Submit the TRCINT SET(*OFF) command to a background job when you are managing a large trace capture. The following trace point output outlines the connection properties included in the trace point.

SOCKETS IDENTIFIER : SC#17003 TIME 02/17/15 11:03:33.151908 TDE# 000000003C94
#1 ( 21) +0000 C3D6D5D5C5C3E3C9 D6D540D7D9D6D7C5 D9E3C9C5E2 *CONNECTION PROPERTIES
#2 ( 7) +0000 E3D3E2E5F14BF1 *TLSV1.1
#3 ( 28) +0000 E3D3E26DD9E2C16D E6C9E3C86DC1C5E2 6DF1F2F86DC3C2C3 6DE2C8C1 *TLS_RSA_WITH_AES_128_CBC_SHA
#4 ( 10) +0000 D3D6C3C1D340D7D6 D9E3 *LOCAL PORT
#5 ( 3) +0000 F9F9F2 *992
#6 ( 16) +0000 D3D6C3C1D340C9D7 40C1C4C4D9C5E2E2 *LOCAL IP ADDRESS
#7 ( 20) +0000 7A7A868686867AF1 F9F84BF5F14BF1F0 F04BF1F5 *::ffff:198.51.100.15
#8 ( 11) +0000 D9C5D4D6E3C540D7 D6D9E3 *REMOTE PORT
#9 ( 5) +0000 F6F1F8F5F2 *61852
#10 ( 17) +0000 D9C5D4D6E3C540C9 D740C1C4C4D9C5E2 E2 *REMOTE IP ADDRESS
#11 ( 20) +0000 7A7A868686867AF1 F9F84BF5F14BF1F0 F04BF1F6 *::ffff:198.51.100.16
#12 ( 16) +0000 E3D5C1C3C3C5D7E3 E3C1E2D240404040 *TNACCEPTTASK
#13 ( 22) +0000 D8C9C2D46DD8E3E5 6DE3C5D3D5C5E36D E2C5D9E5C5D9 *QIBM_QTV_TELNET_SERVER

The following information is in the trace point entry data:

Protocol Negotiated
Cipher suite Negotiated
Local port and IP address
Remote port and IP address
Job/Task/Device name
Application ID (if used)

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Raul Jager
Sent: Monday, March 19, 2018 10:03 AM
To: midrange-l@xxxxxxxxxxxx
Subject: Re: V7R3 DCM Certicate Authority root and intermediate updates

It is a very simple procedure to install the root cert, easier than applying a PTF.  I do not think it is a good idea to install automatically all the cert, rather install only the ones I need.

It will be a good idea to delete the old one (probably VeriSign)


On 03/19/2018 10:34 AM, Steinmetz, Paul wrote:
We had a 3rd party application update their SSL wildcard cert this past Saturday.
Our application failed with below errors.

SSL_Handshake() error [IBM -23]: Certificate is not signed by a trusted certificate authority.
Error 51: SSL peer certificate or SSH remote key was not OK Closing
connection #0 SSL peer certificate or SSH remote key was not OK

Their new cert required us to have the below root and intermediate CA added to our system store.

DigiCertGlobalRootCA.crt
DigiCertSHA2SecureServerCA.crt

The folks that maintain SSL for our Windows and Linux servers stated these CA updates are automatic and included with their OS updates.

My doesn't IBM do the same for i?
Have new and updated CAs applied to system store via PTFs.

Or are there any processes/procedures to be more proactive for future SSL updates?

Thank You
_____
Paul Steinmetz
IBM i Systems Administrator

Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071

610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home

psteinmetz@xxxxxxxxxx<mailto:psteinmetz@xxxxxxxxxx>
http://www.pencor.com/



-- Este e-mail fue enviado desde el Mail Server del diario ABC Color --
-- Verificado por Anti-Virus Corporativo Symantec --
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related questions.

Help support midrange.com by shopping at amazon.com with our affiliate link: http://amzn.to/2dEadiD

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.