Peter Sylvester wrote: >it would be helpful, if you describe your scenario in more details:
I'll short-circuit this: the STC is a client but is not using a client cert. It's just doing a GET via HTTPS. My confusion was that: a. The doc doesn't really make it clear that a label is only meaningful for a client cert. So in our reading, it was a way to force a specific cert in the database to be selected-either for control (admittedly odd) or perhaps for performance, as a quick way to get right to the right one. In my case, I was using it as a debugging aid, to know which cert was the good one for the connection. This is one reason I like gskkyman in general: it's easy to create a database containing exactly one cert, and if that works, you know it's the right cert. We have many customers who can't spell 'certificate' and so spend way too much time trying to answer that precise question. In this case, they were updating the server cert, needed a new root, and weren't sure they'd done it right. They are also using gskkyman in production, which is rare in my experience but certainly not "bad" per se. And since I started this effort, I've figured out that their biggest problem was not understanding that a gskkyman database can contain multiple certs! They were playing shell games, swapping databases between "new" and "old" and appropriate afraid that they'd get it wrong. Since they run for months without a restart, they had in fact gotten it wrong on one system, and had a nasty surprise when they did reIPL and things didn't come up. So, again, my goal was to make it easy to say "OK, if you explicitly tell it to use NEWCERT and it works, then you know that's the root in use, and you can remove the label and it will continue to work whether that system is hitting a server with the new cert or the old one. b. If you do specify a label for a root (non-client) certificate, it checks that the label exists but then ignores it. So if you specify an invalid label, it fails; but specifying ANY valid label will work as if you had not specified a label. I submit that this is a bug in theory, but it's also not clear how it should deal with that: if you specify a label, and then there's no client certificate involved, should it complain? That would be logical but a lot of work to implement. Hence my conclusion that some clarification of label use in the doc would suffice for this. I know most folks here don't care about this, and certainly not to this level of detail; my goal is twofold: to get this recorded to perhaps save someone else in the future; and to maybe get Wai or someone else at IBM to weigh in. I expect they're all enjoying NoLa, though! ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
