Hello list I have a small problem that I was hoping I could get some help with.
System is z/OS V1.13 running on a Z13s W01 soon to be V2.2, but not yet and not soon enough. We are using system SSL/TLS not AT/TLS for FTP and TN3270. We have Crypto express 5 cards with a CEX5C coprocessor. I wanted to take advantage of the crypto cards so I imported the RSA cerftificate we were using using the PCICC(*) option. This is supposed to take the private key and place it in the PKDS which is supposed to perform better than using software ssl encryption. To my dismay TN3270 will no longer support a SSL\TLS connection, however Secure FTP has no problem. I ensured that nothing was changed in the keyring and that the correct SITE certificate shows up there. I also made sure that TN3270 and FTP are pointing to the same keyring. The RACF display of the keyring shows this: Digital ring information for user TCPIP: Ring: >SharedRing< Certificate Label Name Cert Owner USAGE DEFAULT -------------------------------- ------------ -------- ------- XXXXX Cert 2048 Authority CERTAUTH CERTAUTH NO TCPIPSharedSite SITE PERSONAL YES The above is correct. The access from FTP is shown below: IP addresses and userid's changed to protect the innocent. Oct 26 14:21:30 JESH01 ftpd[33555196]: EZYFS50I ID=FTPD100119 CONN starts Client IPaddr=999.99.1.27 hostname=UNKNOWN Oct 26 14:21:30 JESH01 ftps[33555196]: EZYFS54I ID=FTPD100119 SECURE OK Mechanism=TLS-P Oct 26 14:21:30 JESH01 ftps[33555196]: EZYFS56I ID=FTPD100119 ACCESS OK USERID=XXXXXX Oct 26 14:21:31 JESH01 ftps[33555195]: EZYFS67I ID=FTPD100119 ALLOC OK Use HFS filename=/u/log/2016/10/24/ftp.log We ran an SSL trace and this is what we get: Job,TN3270 Process 00000016 Thread 0000001C crypto_rsa_private_decrypt Stored,private key support is not available , SSF1, MESSAGE 00000004 14:43:03.790222 SSL_ERROR , Job,TN3270 Process 00000016 Thread 0000001C read_v3_client_key_exchang Unable,to decrypt pre-master secret: Error 0x0335301a The trace looks good until we get the Error 0x0335301a. 0335301A No private key. Explanation: A private key request cannot be processed because the database entry does not contain a private key. This error can occur if the private key is stored in the Integrated Cryptographic Service Facility (ICSF) but the CSF started task is not running. User response: Verify that the CSF started task is running if the private key is stored in ICSF. Otherwise, repeat the failing request using a database entry containing a private key. I'm at a loss ICSF is up and running, and the crypto cards are supposed to have the PCICC coprocessors. Secure Tn3270 does not work, but secure FTP does. I'm at a loss any idea's welcome. Thanks ========================== This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to which it is addressed. If you have received this email in error, please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this message by mistake and delete this e-mail from your system. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN