I am working with out security folks also, they are requiring TLS 1.2
only connections, there's a local override file you can add to force all
connections to TSL1.2, but be careful, if you use the JES2EDS (email
delivery system) you also need to force TLS 1.2 via a SSH daemon or
adding the TLS 1.2 parm in CEEPRMxx
for z/OS 2.3 and beyond
/global/zosmf/configuration - add
local_override.cfg
IZU_SSL_PROTOCOL=TSL1.2
if you need to force TLS 1.2 via LE
add
ENVAR=("GSK_PROTOCOL_TLSV1_2=ON")
I've tested with only the z/osmf local override file and this caused
JES2EDS connections to fail.
there may be some other options, this is the only option that seemed to
satisfy my security folks and still allow everything to work / connect
Carmen
On 8/13/2021 7:59 AM, Shaffer, Terri w
rote:
So I am no expert when it comes to certificates, So maybe someone can shed
some light for me.
By default z/OSMF is configured with a CA or ZOSMFCA label. That doesn't
work or maybe seem to work for me. I can generate a client certificate from it
and download to me PC but will never establish an SSL TLS 1.2 connection. I
also done have admin rights, so even if I could it would only be for me, at
least I think.
So my corporate network team, gave me a root and immediate CA and then
generated a client certificate for me.
I imported them to RACF as trusted and built my z/OSMF key ring off those,
which seemed to work...
However now I am getting
[ERROR ] CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN
CN=xxx.xxx.xxx.xxx my IP
The signer might need to be added to local trust store
safkeyringhybrid://IZUSVR/IZUKeyring.IZUDFLT, located in SSL configuration
alias izuSSLConfig.
The extended error message from the SSL handshake exception is: PKIX path
building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to
find valid certification path to requested target.
Which I guess makes sense because my network team gave me all the Certs. But
is there a way to resolve this so all users get a TLS 1.2 htps connection?
Ms Terri E Shaffer
Senior Systems Engineer,
z/OS Support:
ACIWorldwide - Telecommuter
H(412-766-2697) C(412-519-2592)
[email protected]
________________________________
[https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg]
<http://www.aciworldwide.com>
This email message and any attachments may contain confidential, proprietary or
non-public information. The information is intended solely for the designated
recipient(s). If an addressing or transmission error has misdirected this
email, please notify the sender immediately and destroy this email. Any review,
dissemination, use or reliance upon this information by unintended recipients
is prohibited. Any opinions expressed in this email are those of the author
personally.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
--
/I am not bound to win, but I am bound to be true. I am not bound to
succeed, but I am bound to live by the light that I have. I must stand
with anybody that stands right, and stand with him while he is right,
and part with him when he goes wrong. *Abraham Lincoln*/
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
