Hello list I have a small problem that I was hoping I could get some help with.
System is z/OS V1.13 running on a Z13s W01 soon to be V2.2, but not yet and not
soon enough.
We are using system SSL/TLS not AT/TLS for FTP and TN3270. We have Crypto
express 5 cards
with a CEX5C coprocessor.
I wanted to take advantage of the crypto cards so I imported the
RSA cerftificate we were using using the PCICC(*) option. This is supposed to
take the private key and place it in the PKDS which is supposed to perform
better
than using software ssl encryption.
To my dismay TN3270 will no longer support a SSL\TLS connection, however
Secure FTP has no problem. I ensured that nothing was changed in the keyring and
that the correct SITE certificate shows up there. I also made sure that TN3270
and FTP are pointing to the same keyring.
The RACF display of the keyring shows this:
Digital ring information for user TCPIP:
Ring:
>SharedRing<
Certificate Label Name Cert Owner USAGE DEFAULT
-------------------------------- ------------ -------- -------
XXXXX Cert 2048 Authority CERTAUTH CERTAUTH NO
TCPIPSharedSite SITE PERSONAL YES
The above is correct.
The access from FTP is shown below: IP addresses and userid's changed to
protect the innocent.
Oct 26 14:21:30 JESH01 ftpd[33555196]: EZYFS50I ID=FTPD100119 CONN starts
Client IPaddr=999.99.1.27 hostname=UNKNOWN
Oct 26 14:21:30 JESH01 ftps[33555196]: EZYFS54I ID=FTPD100119 SECURE OK
Mechanism=TLS-P
Oct 26 14:21:30 JESH01 ftps[33555196]: EZYFS56I ID=FTPD100119 ACCESS OK
USERID=XXXXXX
Oct 26 14:21:31 JESH01 ftps[33555195]: EZYFS67I ID=FTPD100119 ALLOC OK Use
HFS filename=/u/log/2016/10/24/ftp.log
We ran an SSL trace and this is what we get:
Job,TN3270 Process 00000016 Thread 0000001C crypto_rsa_private_decrypt
Stored,private key support is not available
,
SSF1, MESSAGE 00000004 14:43:03.790222 SSL_ERROR
,
Job,TN3270 Process 00000016 Thread 0000001C read_v3_client_key_exchang
Unable,to decrypt pre-master secret: Error 0x0335301a
The trace looks good until we get the Error 0x0335301a.
0335301A No private key.
Explanation: A private key request cannot be
processed because the database entry does not contain
a private key. This error can occur if the private key is
stored in the Integrated Cryptographic Service Facility
(ICSF) but the CSF started task is not running.
User response: Verify that the CSF started task is
running if the private key is stored in ICSF. Otherwise,
repeat the failing request using a database entry
containing a private key.
I'm at a loss ICSF is up and running, and the crypto cards are supposed to have
the PCICC coprocessors.
Secure Tn3270 does not work, but secure FTP does.
I'm at a loss any idea's welcome.
Thanks
==========================
This email, and any files transmitted with it, is confidential and intended
solely for the use of the individual or entity to which it is addressed. If you
have received this email in error, please notify the system manager. This
message contains confidential information and is intended only for the
individual named. If you are not the named addressee, you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this message by mistake and delete
this e-mail from your system. If you are not the intended recipient, you are
notified that disclosing, copying, distributing or taking any action in
reliance on the contents of this information is strictly prohibited.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
