Jim,
Very interesting.
Using your sample below, I was able to the root and int CAs for a 3rd party remote site.
Have you taken this to the next level, create a tool that would run this for all SSL connections, convert the output and and store the results in db file?
Paul
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of JWGrant@xxxxxxxxxxxxxxx
Sent: Monday, March 19, 2018 1:20 PM
To: Midrange Systems Technical Discussion
Subject: RE: V7R3 DCM Certicate Authority root and intermediate updates
I use openssl (on the IBMi) for this very reason.
strqsh (and at the command line issue the openssl client command)
openssl s_client -showcerts -connect www.domain.com:443
Output sample:
openssl s_client -showcerts -connect www.ibm.com:443
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust RSA CA 201 verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/C=US/ST=New York/L=Armonk/O=IBM/CN=www.ibm.com
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018
-----BEGIN CERTIFICATE-----
MIII0TCCB7mgAwIBAgIQB9pLr+lXOZ8xK2/D1IfIdDANBgkqhkiG9w0BAQsFADBe
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMR0wGwYDVQQDExRHZW9UcnVzdCBSU0EgQ0EgMjAxODAe
Fw0xODAyMTkwMDAwMDBaFw0xOTAzMjExMjAwMDBaMFUxCzAJBgNVBAYTAlVTMREw
DwYDVQQIEwhOZXcgWW9yazEPMA0GA1UEBxMGQXJtb25rMQwwCgYDVQQKEwNJQk0x
FDASBgNVBAMTC3d3dy5pYm0uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAyKo2t2YSMci2XsvAS2wi9qQbudlS5iEA7vmRsc570PuNWGaxo4hHk7I4
FK0DRNUcJL2Gh15nmmm+uKDA/Le/9hf7OlOKEGD5mSZ7NmOT2w776CBAtrDLTexz
fMnr8PjoowR244H80JZLZhBrhN1nsgDal0Fq3WQUKVpNnCi1s50gJjDBLu9knL65
KHBlkK+0/vE/dIvIsgsVhwBBXmFAkZrYM4GFxSuFVoyQDUbjymt9g0mVA11hGhjd
+/IqNaMC/2nRBhJLVF6hycyRydqpUGbyueBqurnZBZsKNyWtVnJYjcz0NWYjV6OD
ZHcC0eNE7MY4hJ5JjeYhPK5V/ME2QwIDAQABo4IFkjCCBY4wHwYDVR0jBBgwFoAU
kFj/sJx1qFFUd7Ht8qNDFjiebMUwHQYDVR0OBBYEFIEb0vIrc/yGdu0Z2v5bA1FS
qcuPMIIDAwYDVR0RBIIC+jCCAvaCC3d3dy5pYm0uY29tggdpYm0uY29tghJjbGll
bnQtcHJlLmlibS5jb22CDW15aWJtLmlibS5jb22CEXVzbXIuY21zLnM4MWMuY29t
gg53d3ctMDUuaWJtLmNvbYIPdXMuY21zLnM4MWMuY29tghN3d3d0ZXN0LWFwaS5p
Ym0uY29tghN0aGluay1zdGFnZS5pYm0uY29tgg93d3ctMTEyLmlibS5jb22CD2Fw
LmNtcy5zODFjLmNvbYILbXAuczgxYy5jb22CFXd3dy5kZXZlbG9wZXIuaWJtLmNv
bYIQd3d3c3RhZ2UuaWJtLmNvbYITMS5jbXNzdGFnZS5zODFjLmNvbYIUd3d3c3Rh
Z2UtYXBpLmlibS5jb22CEGFwaS53d3cuczgxYy5jb22CD3d3dy0zNTYuaWJtLmNv
bYIPd3d3LWFwaS5pYm0uY29tgg53d3ctMDYuaWJtLmNvbYIOY2xpZW50LmlibS5j
b22CCW0uaWJtLmNvbYIPZXUuY21zLnM4MWMuY29tghR3d3ctOTY5c3RhZ2UuaWJt
LmNvbYIRZGV2ZWxvcGVyLmlibS5jb22CEjEuY21zdGVzdC5zODFjLmNvbYIPd3d3
LTkzNS5pYm0uY29tgg93d3d0ZXN0LmlibS5jb22CEzEuZGFtc3RhZ2UuczgxYy5j
b22CDnd3dy0wMS5pYm0uY29tggthcGkuaWJtLm5ldIINdGhpbmsuaWJtLmNvbYI
MS5kYW0uczgxYy5jb22CDnd3dy0wNy5pYm0uY29tgg4xLmNtcy5zODFjLmNvbYI
d3d3LTAzLmlibS5jb22CEzEud3d3c3RhZ2UuczgxYy5jb22CDjEud3d3LnM4MWM
Y29tggt3d3cubmljLmlibYIRMS5jbXNwb2MuczgxYy5jb22CEmNsaWVudC1jZHQ
aWJtLmNvbYIOd3d3cG9jLmlibS5jb22CD3d3dy05NjkuaWJtLmNvbYIQd3d3LTI
MDAuaWJtLmNvbTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwE
CCsGAQUFBwMCMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly9jZHAuZ2VvdHJ1c3Q
Y29tL0dlb1RydXN0UlNBQ0EyMDE4LmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/Ww
ATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAg
BmeBDAECAjB1BggrBgEFBQcBAQRpMGcwJgYIKwYBBQUHMAGGGmh0dHA6Ly9zdGF
dXMuZ2VvdHJ1c3QuY29tMD0GCCsGAQUFBzAChjFodHRwOi8vY2FjZXJ0cy5nZW9
cnVzdC5jb20vR2VvVHJ1c3RSU0FDQTIwMTguY3J0MAkGA1UdEwQCMAAwggEEBgo
BgEEAdZ5AgQCBIH1BIHyAPAAdwCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80
yA3cEAAAAWGwB/7vAAAEAwBIMEYCIQDOazkJq+N0anorzX70OWKcgcunHlKnNxe
BzsSUYl4WAIhAPMUqVkgaJSWCDdNDSFn/u6cL0+ejto2F/XsIs9wmHMwAHUAh3W
51l8+IxDmV+9827/Vo1HVjb/SrVgwbTq/16ggw8AAAFhsAf/SgAABAMARjBEAiA
YckuyHana2MPXT6SWWcGV1aW4uKsEMQYaUczWCkNGQIgekcjpvWzF16Kis+CXpf
nEQ4Pa8n+cO4nNEz4MgRjwswDQYJKoZIhvcNAQELBQADggEBADZ5B5h/V3GWmEcM
iPlBoVJWpAHT3OupRwNTOi/V70Fmv2yLdIqnqD+cxpszencJyGlwFJsT6HcVy5jU
ABF8giZHpwOYm8vVZZ+JzcjSNoB2sdJS2jo5KgoQD+En08JqwXuTcK+IjEGFMVvg
SvJrdAdcWtwJS/ndIwxZDGPPpZgeGy8cBQijwEQo5KL1Vb8cSoanD2mNWGfeuR4q
0BP3Du5uSBKJRiFk+ttQyfd/6DYR7J8lGpx/SQfGAx5JcdfyGSOa3KO8Dz6O/FLQ
97ONoLas6O7XNzL9W0LmRSwQgztgWQYXHhrGH55+wdaDFm3CMI9exh8TpYPeXZbK
gLLfjN0=
-----END CERTIFICATE-----
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA -----BEGIN CERTIFICATE-----
MIIEizCCA3OgAwIBAgIQBUb+GCP34ZQdo5/OFMRhczANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0xNzExMDYxMjIzNDVaFw0yNzExMDYxMjIzNDVaMF4xCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xHTAbBgNVBAMTFEdlb1RydXN0IFJTQSBDQSAyMDE4MIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAv4rRY03hGOqHXegWPI9/tr6HFzekDPgxP59FVEAh
150Hm8oDI0q9m+2FAmM/n4W57Cjv8oYi2/hNVEHFtEJ/zzMXAQ6CkFLTxzSkwaEB
2jKgQK0fWeQz/KDDlqxobNPomXOMJhB3y7c/OTLo0lko7geG4gk7hfiqafapa59Y
rXLIW4dmrgjgdPstU0Nigz2PhUwRl9we/FAwuIMIMl5cXMThdSBK66XWdS3cLX18
4ND+fHWhTkAChJrZDVouoKzzNYoq6tZaWmyOLKv23v14RyZ5eqoi6qnmcRID0/i6
U9J5nL1krPYbY7tNjzgC+PBXXcWqJVoMXcUw/iBTGWzpwwIDAQABo4IBQDCCATww
HQYDVR0OBBYEFJBY/7CcdahRVHex7fKjQxY4nmzFMB8GA1UdIwQYMBaAFAPeUDVW
0Uy7ZvCj4hsbw5eyPdFVMA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADA0BggrBgEFBQcBAQQo
MCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBCBgNVHR8E
OzA5MDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9i
YWxSb290Q0EuY3JsMD0GA1UdIAQ2MDQwMgYEVR0gADAqMCgGCCsGAQUFBwIBFhxo
dHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA0GCSqGSIb3DQEBCwUAA4IBAQAw
8YdVPYQI/C5earp80s3VLOO+AtpdiXft9OlWwJLwKlUtRfccKj8QW/Pp4b7h6QAl
ufejwQMb455OjpIbCZVS+awY/R8pAYsXCnM09GcSVe4ivMswyoCZP/vPEn/LPRhH
hdgUPk8MlD979RGoUWz7qGAwqJChi28uRds3thx+vRZZIbEyZ62No0tJPzsSGSz8
nQ//jP8BIwrzBAUH5WcBAbmvgWfrKcuv+PyGPqRcc4T55TlzrBnzAzZ3oClo9fTv
O9PuiHMKrC6V6mgi0s2sa/gbXlPCD9Z24XUMxJElwIVTDuKB0Q4YMMlnpN/QChJ4
B0AFsQ+DU0NCO+f78Xf7
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=New York/L=Armonk/O=IBM/CN=www.ibm.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4085 bytes and written 432 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
B1E3D99FD3A10E41C6D3D7FBA4D9E0BC54DF136B9A146258D3FFB30E89EC9E60
Session-ID-ctx:
Master-Key:
478BE72A6CEEE7BB1A1B6F07D7C4BD6E39B5338B633A2BFED675D213A2D7E55CCBF6FCF74D83FBD39BA0B437D1062901
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 00 00 0b 3a 86 02 fc ef-a4 70 20 c8 a8 8e 0c 71 ...:.....p
....q
0010 - 20 8b 85 9b 10 01 f6 32-2a 36 9e 37 2a a4 4d b4 ......2*6.7*.M.
0020 - 63 41 07 98 e4 88 f7 84-3b 5b 33 ae 0d 08 83 02 cA......;[3.....
0030 - be 73 eb 84 9b 2d 2b 98-26 6e d4 7e 7b 09 a8 8b .s...-+.&n.~{...
0040 - 94 4e 86 38 77 71 91 fe-d4 77 5c 23 e5 e7 dc ac .N.8wq...w\#....
0050 - 65 42 77 05 0c 69 f3 9a-84 14 8c 3d 33 2a 54 41 eBw..i.....=3*TA
0060 - fa 3b 46 45 b7 b8 bc 69-73 b6 3f 23 a9 68 a3 3c .;FE...is.?#.h.<
0070 - 65 a8 ea 73 41 ab 5e b1-58 e0 0d a3 3a 88 23 51 e..sA.^.X...:.#Q
0080 - b8 96 38 12 6b 09 0b e1-aa 05 8d d0 09 7e ba 3c ..8.k........~.<
0090 - d1 0a 46 af 11 4f 69 3e-c9 9f 1f 14 e7 cd 26 cd ..F..Oi>......&.
Start Time: 1521479792
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
closed
$
Jim W Grant
Senior VP, Chief Information Officer
Web: www.pdpgroupinc.com
From: "Steinmetz, Paul" <PSteinmetz@xxxxxxxxxx>
To: "'midrange-l@xxxxxxxxxxxx'" <midrange-l@xxxxxxxxxxxx>
Date: 03/19/2018 10:55 AM
Subject: RE: V7R3 DCM Certicate Authority root and intermediate
updates
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>
I run a TRCINT TRCTYPE > *SCKSSL as needed to monitor the SSL
traffic.
Command to execute is:
TRCINT SET(*ON) TRCTBL('SSL-1700x') SIZE(512 *MB) TRCFULL(*STOPTRC)
TRCTYPE(*SCKSSL) SLTTRCPNT((17000 17009)).
However, the SCKSSL trace does not include the SSL certs used, only the below.
To the best of my knowledge, there is no tool/method to confirm which SSL certs or CAs are being used on the i.
A spooled file named QPCSMPRT is created for the user that ran the TRCINT
SET(*OFF) command. Submit the TRCINT SET(*OFF) command to a background job when you are managing a large trace capture. The following trace point output outlines the connection properties included in the trace point.
SOCKETS IDENTIFIER : SC#17003 TIME
02/17/15 11:03:33.151908 TDE# 000000003C94
#1 ( 21) +0000 C3D6D5D5C5C3E3C9 D6D540D7D9D6D7C5 D9E3C9C5E2
*CONNECTION PROPERTIES
#2 ( 7) +0000 E3D3E2E5F14BF1 *TLSV1.1
#3 ( 28) +0000 E3D3E26DD9E2C16D E6C9E3C86DC1C5E2
6DF1F2F86DC3C2C3 6DE2C8C1 *TLS_RSA_WITH_AES_128_CBC_SHA
#4 ( 10) +0000 D3D6C3C1D340D7D6 D9E3 *LOCAL PORT
#5 ( 3) +0000 F9F9F2 *992
#6 ( 16) +0000 D3D6C3C1D340C9D7 40C1C4C4D9C5E2E2 *LOCAL
IP ADDRESS
#7 ( 20) +0000 7A7A868686867AF1 F9F84BF5F14BF1F0 F04BF1F5
*::ffff:198.51.100.15
#8 ( 11) +0000 D9C5D4D6E3C540D7 D6D9E3 *REMOTE PORT
#9 ( 5) +0000 F6F1F8F5F2 *61852
#10 ( 17) +0000 D9C5D4D6E3C540C9 D740C1C4C4D9C5E2 E2
*REMOTE IP ADDRESS
#11 ( 20) +0000 7A7A868686867AF1 F9F84BF5F14BF1F0 F04BF1F6
*::ffff:198.51.100.16
#12 ( 16) +0000 E3D5C1C3C3C5D7E3 E3C1E2D240404040
*TNACCEPTTASK
#13 ( 22) +0000 D8C9C2D46DD8E3E5 6DE3C5D3D5C5E36D E2C5D9E5C5D9
*QIBM_QTV_TELNET_SERVER
The following information is in the trace point entry data:
Protocol Negotiated
Cipher suite Negotiated
Local port and IP address
Remote port and IP address
Job/Task/Device name
Application ID (if used)
Paul
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Raul Jager
Sent: Monday, March 19, 2018 10:03 AM
To: midrange-l@xxxxxxxxxxxx
Subject: Re: V7R3 DCM Certicate Authority root and intermediate updates
It is a very simple procedure to install the root cert, easier than applying a PTF. I do not think it is a good idea to install automatically all the cert, rather install only the ones I need.
It will be a good idea to delete the old one (probably VeriSign)
On 03/19/2018 10:34 AM, Steinmetz, Paul wrote:
We had a 3rd party application update their SSL wildcard cert this
past
Saturday.
Our application failed with below errors.
SSL_Handshake() error [IBM -23]: Certificate is not signed by a
trusted
certificate authority.
Error 51: SSL peer certificate or SSH remote key was not OK Closing
connection #0 SSL peer certificate or SSH remote key was not OK
Their new cert required us to have the below root and intermediate CA
added to our system store.
DigiCertGlobalRootCA.crt
DigiCertSHA2SecureServerCA.crt
The folks that maintain SSL for our Windows and Linux servers stated
these CA updates are automatic and included with their OS updates.
My doesn't IBM do the same for i?
Have new and updated CAs applied to system store via PTFs.
Or are there any processes/procedures to be more proactive for future
SSL updates?
Thank You
_____
Paul Steinmetz
IBM i Systems Administrator
Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071
610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home
psteinmetz@xxxxxxxxxx<mailto:psteinmetz@xxxxxxxxxx>
http://www.pencor.com/
-- Este e-mail fue enviado desde el Mail Server del diario ABC Color --
-- Verificado por Anti-Virus Corporativo Symantec --
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit:
https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link:
http://amzn.to/2dEadiD
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit:
https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link:
http://amzn.to/2dEadiD
As an Amazon Associate we earn from qualifying purchases.