On Thursday, 09/13/2007 at 03:58 EDT, Alan Ackerman <[EMAIL PROTECTED]> wrote: > Is there any way to share server certificates between SSLSERV and other > applications on the same VM system? (In my case the other application is > Illustro z/Web Server for VM.) Do I have to order a separate certificate > for each? (Costs $$$.)
If you define port 443 (https) as SECURE in PROFILE TCPIP, then you can use the SSL server certificates. The trick is to get z/Web to listen on 80 and 443 at the same time, treating 443 exactly as it does 80. All encryption would be handled by the SSL server. But, no, there's no way to share the SSL server's certificate database with other guests. > Essentially, a certificate just certifies a particular domain, so why > should I need two of them? Ummm, you don't. > I could use the SSLSERV to provide SSL services to the z/Web server, but > since the SSLSERV encryption is transparent to the application, there does > not appear to be any way for an application (CGI) running on the web > server to obtain information on the client certificate, or even to know > whether the interaction is encrypted (HTTPS) instead of not (HTTP). Does > SSLSERV even support client certificates? Does it support HTTPS instead of > HTTP? The SSL server does not request a client certificate. You're correct that the CGI cannot directly observe that (a) the connection is encrypted [hey, it's "transparent TLS"], or (b) the client certificate (if we requested it). Indirectly, the CGI could get creative with NETSTAT CONN to discover whether its connection is encrypted. See the Usage Note for NETSTAT CONN re: two connections per secure session. > If I understand this correctly, to get certificate(s) for SSLSERV, I have > to do this: The exact steps are listed in the TCP/IP manual. Don't skip any. :-) > I believe the 'request' command stores a 'request' item in the database, > and then the 'store fn server' commands associates the server certificate > item with the request item. The "request" generates a certificate based on the X509INFO file AND it creates a public/private keypair. The REQUEST file contains the certificate, signed with your private key. The CA signs it (the certificate with your signature) with their private key and sends it back to you. The store command verifies that the provided cert is valid and associates the now-CA-signed cert with the certificate label. > It's this 'association' that is the problem. Is there any way to install > a 'request' item from somewhere else into the SSLSERV database? No. We are aware of the requirement to be able to import certificates & keys into the database without having to first do a Request. If you want to copy the files to another Linux guest, that's ok, too, but I don't know if the SSL server can handle generic (e.g. *.endicott.ibm.com) certificates. > z/Web server has an identical process, except that it uses a web page > instead of commands. (The underlying commands do exist, though.) Aren't web servers great? :-) Alan Altmark z/VM Development IBM Endicott
