X-Posted IBM-MAIN and RACF-L. It’s not really a RACF issue, but the right folks
may be hanging out there.
I am trying to educate myself on OCSP.
In the AT-TLS config I code
TTLSEnvironmentAction CAM_FTP_Env
{
...
TTLSGskAdvancedParmsRef CAM_FTP_GSK_Adv_Parms
}
...
TTLSGskAdvancedParms CAM_FTP_GSK_Adv_Parms
{
TTLSGskOcspParmsRef CAM_FTP_OCSP_Test
}
TTLSGskOcspParms CAM_FTP_OCSP_Test
{
OcspAiaEnable On
}
I then run an FTP to public.dhe.ibm.com port 21
It fails with
EZD2052I TTLS Certificate Diagnostics GRPID: 00000004 ENVID: 0000004A
CONNID: 00002FD2 SSLRetCode= 8 CMSRetCode= 0x03353026 Description=
Using AIA OCSP, certificate's revocation status could not be
determined. See CMS return code SubjectDN= <CN=public.dhe.ibm.com,O=In
ternational Business Machines Corporation,L=Armonk,ST=New York,C=US>
IssuerDN= <CN=DigiCert TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US>
SerialNumber= 04f4061646aa7287a997de4e74d1fd9d CertificateSource=
CMS RC 0x3353026 says
Explanation
The key usage certificate extension does not permit the requested key operation.
User response
Obtain a certificate, which allows the requested key operation.
However both the DigiCert root and intermediate have keyUsage of both Digital
Signature and CRL signature, which I believe should be sufficient authority to
sign an OCSP response.
If I am right it seems like there is an error in System SSL (z/OS V2R5).
The alternative -- that I am wrong -- says that DigiCert does not know what
they are doing, which seems implausible to me.
Any wisdom from these groups?
https://www.ibm.com/support/pages/apar/OA55141 looks close but it is old (2018)
and I am on a reasonably up-to-date V2R5.
Charles
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
