With all of your kind assistance on and off list, I think I finally cracked the nut. Note: I use the FTP server below, but all also applies to the TN3270 server.
The root problem was my scenario of using my own self signed CA to sign user certs. This worked, but only within one 'plex. That is, I can FTP from one host in a 'plex to another. For quite a while, that was my only way to test and learn. Silly me, I thought those test results would apply to other situations. I found that self signed CA's are treated as 'invalid' when FTP'ing from *any* other host even when the CA was imported as trusted. When I regenned the personal certs as self signed, the intra 'plex FTP stopped working, but FTP from other hosts stated working because they have options to accept such or to prompt for permission. Complicating matters is some RACF panels don't work (the cert delete function, for example) and the FTP server sometimes won't pick up cert changes even when the server is stopped/started. Another complication was RACDCERT was a little inconsistent. The scenario: 1. Add four certs via batch job. One for each server on each LPAR. 2. Delete these four certs. 3. Add same four certs. The second add worked for one server/LPAR, but failed for the second pair because of duplication. The content of each cert was identical except for owner, CN (host name), and label. Why this worked the first time and failed the second probably can be explained by a missed REFRESH step. But still a bit frustrating. I figured out how to make both servers use a common cert. I suppose I ought to open some PMR's with IBM, but I simply don't have time: I have two processor upgrades and 12 LPAR's to upgrade from 1.4 to 1.7 before Thanksgiving. The PMR's I should open: 1. RACF panels don't work. 2. Bouncing servers to pick up trivial changes is stupid. OK for PC's but not for the MF. Simple refresh functions are the way to go. 3. Trace instructions that actually work. 4. Inconsistent RACDCERT behavior. Again, thanks to all. NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
