Hi folks, First time poster; thanks for your forbearance, and for your input if possible.
We are on z/OS 2.5 and I am trying to add PAGENT/TTLS configurations to support outbound/Client TLS(https) calls requiring Client Authentication (MutualTLS/MTLS/two-way SSL). We successfully support similar calls in PAGENT with things like a pki database holding trusted CA certs, and SNI-required configs for sites using cloudflare, etc., but have not had this requirement for client authentication before. The error we are stuck on is: EZD1284I TTLS Flow GRPID: 00000027 ENVID: 000041B0 CONNID: 0301E51B RC: 7 Call GSK_SECURE_SOCKET_INIT - 0000005030853750 EZD1283I TTLS Event GRPID: 00000027 ENVID: 000041B0 CONNID: 0301E51B RC: 7 Initial Handshake 0000000000000000 00000050308B6800 0000000000000000 EZD1286I TTLS Error GRPID: 00000027 ENVID: 000041B0 CONNID: 0301E51B LOCAL: 128.83.216.11..46868 REMOTE: 146.143.6.65..443 JOBNAME: ABUTBTJ USERID: DPBTJ RULE: ConnRuleJPMorganUAT RC: 7 Initial Handshake 0000000000000000 00000050308B6800 0000000000000000 RC: 7 = “No certificates available.” https://www.ibm.com/docs/en/zos/2.5.0?topic=sfrc-1#idg27338 I’ll add more details below, but we have configured the keys and CA-signed crertificates both in RACF and in an omvs key database. Both methods currently yield the same RC: 7 result. We can successfully connect using `openssl` pointing to the relevant key and cert, but not from the client/PAGENT application. Any insight or pointers will be greatly appreciated. Adding some additional details below. Thanks, Brick Jones The University of Texas at Austin The output of “pasearch -t” suggests the rules for ConnRuleJPMorganUAT should lead to selection of expected certificate, for which we provided the “Certificate Label” value: Keyring: /var/pkiserv/jpmorgan/JPMkeys.kdb KeyringStashFile: /var/pkiserv/jpmorgan/JPMkeys.sth CertificateLabel: FinAppUAT When using RACF: CertificateLabel FinAppCertUAT Keyring DPDBA/AUTRNG gskkyman tool shows: Key and Certificate List Database: /SYSTEM/var/pkiserv/jpmorgan/JPMkeys.kdb 1 - FinAppUAT and Certificate Information Label: FinAppUAT Record ID: 14 Issuer Record ID: 13 Trusted: Yes The key database also has the CA and intermediate certs for both the remote partner and the for the client certificate. Per JPMorgan requirements, it is not a self-signed certificate. Certificate List Database: /SYSTEM/var/pkiserv/jpmorgan/JPMkeys.kdb 1 - DigiCertGlobalRootG2 2 - AAA Certificate Services 3 - USERTrust RSA CA 4 - InCommon RSA Server CA 2 5 - DigiCert EV RSA CA G2 6 - JPM Transport UAT RACF: >AUTRNG< Certificate Label Name Cert Owner USAGE DEFAULT -------------------------------- ------------ -------- ------- AAA Certificate Services Root CERTAUTH CERTAUTH NO LABEL00000002 CERTAUTH CERTAUTH NO LABEL00000001 CERTAUTH CERTAUTH NO FinAppCertUAT ID(DPDBA) PERSONAL YES DigiCert Global Root G2 CERTAUTH CERTAUTH NO DigiCert Intermediate Root G2 CERTAUTH CERTAUTH NO JPMorganCertUAT ID(DPDBA) PERSONAL NO ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
