Hello , Thanks for suggestion. To avoid all mistakes, I freshly created key database in mainframe and generated self signed certificate and then make it trusted and set key default.
Then I downloaded using ASCII and renamed with .Cert and tried putting it to PCOmm database and getting below error. The validity period doesn't include today or does not fall within its issuer's validity period. But I also cross checked my certificate information on Mainframe and shows Effective date : 2017/04/05 Expiration date : 2018/04/05 I am not sure why I am getting this issue . Please suggest. On 04-Apr-2017 11:53 PM, "Cieri, Anthony" <[email protected]> wrote: > > It has been awhile since I tried this, but as I recall, there are > a couple of task that needed to be done in the gskkyman utility > > 1) Set your self signed certificate to TRUST status > 2) Make your self signed certificate the Default cert for the > key database > 3) Create a database password file (i.e. keytdatabase.sth) > > Hth > Tony > > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected]] On > Behalf Of saurabh khandelwal > Sent: Tuesday, April 04, 2017 12:06 AM > To: [email protected] > Subject: Re: SSL on tso > > Hello group, > > Till now we completed below steps to enable sal for tso. > 1) open port 992 firewall > 2) using gskkyman utility, created database and self signed certificate > for the user under which tn3270 address space running. > 3)made additional entry of SSL port 992 in tn3270 profile with key > database entry. > 4) obey the new configuration . > 5) downloaded certificate from mainframe to desktop in ASCII and renamed > the file with extension of .cer > 6) from pcom certificate managment utility, I created database and > uploaded the same certificate which we just downloaded into correct path > mentioned in the certificate managment utility. > 7) tried enabling port 992 on pcom and enabled security and TLS option and > use option to connect. > > But after doing all this I was getting error of "420". Which says remote > client rejection.. > > Can anybody help me to suggest if I an missing anything here to make this > connectivity work. > > Thanks for help > > On 31-Mar-2017 1:33 AM, "Andrew Rowley" <[email protected]> > wrote: > > On 31/03/2017 6:48 AM, Mark Pace wrote: > > > Also note that one of the hard parts of SSL with PCOMM is self-signed > > certs. You need to send a copy of the public key to each user of > > PCOMM and import the certificate. If you're using a better TN3270 > > client, like Vista TN3270, you won't have this problem. At least that > > what I remember when I wandered down that rabbit hole about 5 years ago. > > > The better way to do this is with a properly signed certificate. You can > even get certificates free through Lets Encrypt (although that has its own > controversies). The main problem is a severe lack of documentation on how > to install a real certificate vs. creating your own CA and signing your own. > > I'm not sure that I would describe a client that doesn't have the problem > as "better" since it means that the client is not defending itself against > man-in-the-middle attacks (though I do use and like Vista myself). > > -- > Andrew Rowley > Black Hill Software > +61 413 302 386 > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
