It has been awhile since I tried this, but as I recall, there are a
couple of task that needed to be done in the gskkyman utility
1) Set your self signed certificate to TRUST status
2) Make your self signed certificate the Default cert for the key
database
3) Create a database password file (i.e. keytdatabase.sth)
Hth
Tony
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf
Of saurabh khandelwal
Sent: Tuesday, April 04, 2017 12:06 AM
To: [email protected]
Subject: Re: SSL on tso
Hello group,
Till now we completed below steps to enable sal for tso.
1) open port 992 firewall
2) using gskkyman utility, created database and self signed certificate for the
user under which tn3270 address space running.
3)made additional entry of SSL port 992 in tn3270 profile with key database
entry.
4) obey the new configuration .
5) downloaded certificate from mainframe to desktop in ASCII and renamed the
file with extension of .cer
6) from pcom certificate managment utility, I created database and uploaded the
same certificate which we just downloaded into correct path mentioned in the
certificate managment utility.
7) tried enabling port 992 on pcom and enabled security and TLS option and use
option to connect.
But after doing all this I was getting error of "420". Which says remote client
rejection..
Can anybody help me to suggest if I an missing anything here to make this
connectivity work.
Thanks for help
On 31-Mar-2017 1:33 AM, "Andrew Rowley" <[email protected]>
wrote:
On 31/03/2017 6:48 AM, Mark Pace wrote:
> Also note that one of the hard parts of SSL with PCOMM is self-signed
> certs. You need to send a copy of the public key to each user of
> PCOMM and import the certificate. If you're using a better TN3270
> client, like Vista TN3270, you won't have this problem. At least that
> what I remember when I wandered down that rabbit hole about 5 years ago.
>
The better way to do this is with a properly signed certificate. You can even
get certificates free through Lets Encrypt (although that has its own
controversies). The main problem is a severe lack of documentation on how to
install a real certificate vs. creating your own CA and signing your own.
I'm not sure that I would describe a client that doesn't have the problem as
"better" since it means that the client is not defending itself against
man-in-the-middle attacks (though I do use and like Vista myself).
--
Andrew Rowley
Black Hill Software
+61 413 302 386
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
