The most difficult problems to diagnose are often those that just look
*SO* correct, but contain a wee typo.
I don't run the SSL server (yet), so I can't say for sure if this is the
cause or not, but *could* it be:
:Mixedcasparms.YES
should be
:Mixedcaseparms.YES
_
Potentially, that could prevent the next mixed statements from being
processed properly:
:mount. /../VMBFS:VMSYS:ROOT/ / ,
/../VMBFS:VMSYS:SSLSERV/ /tmp ,
/../VMBFS:VMSYS:GSKSSLDB/ /etc/gskadm
:parms.KEYfile /etc/gskadm/Database.kdb
At least it's worth a quick test.
Mike Walter
Aon Corporation
The opinions expressed herein are mine alone, not my employer's.
"Dave Keeton" <[email protected]>
Sent by: "The IBM z/VM Operating System" <[email protected]>
11/24/2010 10:49 AM
Please respond to
"The IBM z/VM Operating System" <[email protected]>
To
[email protected]
cc
Subject
Re: Question about SSL Service
Well, I've been through the instructions in the link that Jim provided,
but I still haven't been able to get SSL to start up. I'm trying to set
things up with a single-server, as opposed to the new SSL Pool option. I'm
going provide my configuration in the hope that a mistake might stand out
to the list.
SYSTEM DTCPARMS:
:nick.TCPIP :type.server
:class.stack
:attach.2D18-2D1A
:nick.TCPIP :type.server
:class.stack
:attach.06EC-06EE
:nick.FTP :type.class
:name.FTP daemon
:command.SRVRFTP
:runtime.PASCAL
:diskwarn.YES
:anonymous.YES
:nick.SSLSERV :type.server
:class.ssl
:stack.TCPIP
:name.SSL daemon
:command.VMSSL
:runtime.C
:diskwarn.YES
:Admin_ID_list.TCPMAINT GSKADMIN
:memory.256M
:Mixedcasparms.YES
:vmlink. .DIR VMSYS:TCPMAINT.SSLPOOL_SSL <. A FORCERW>
:mount. /../VMBFS:VMSYS:ROOT/ / ,
/../VMBFS:VMSYS:SSLSERV/ /tmp ,
/../VMBFS:VMSYS:GSKSSLDB/ /etc/gskadm
:parms.KEYfile /etc/gskadm/Database.kdb
:nick.SSLDCSSM :type.server
:class.ssl_dcss_agent
:stack.TCPIP
:for.SSLSERV
:nick.TCPIP :type.server
:class.stack
:DCSS_Parms.<DEFAULT>
PROFILE TCPIP:
SMALLDATABUFFERPOOLSIZE 2048
ASSORTEDPARMS
PROXYARP
ENDASSORTEDPARMS
OBEY
OPERATOR TCPMAINT MAINT MPROUTE DHCPD REXECD SNMPD SNMPQE LDAPSRV
ENDOBEY
AUTOLOG
FTPSERVE 0 ; FTP Server
SSLSERV 0 ; SSL Server
ENDAUTOLOG
INFORM
OPERATOR TCPMAINT
ENDINFORM
SSLSERVERID SSLSERV TIMEOUT 30
SSLLIMITS MAXSESSIONS 3000 MAXPERSSLSERVER 600
INTERNALCLIENTPARMS
TLSLABEL ENTSYSVM
PORT 23 PORT 992
SECURECONNECTION PREFERRED
ENDINTERNALCLIENTPARMS
USER DIRECT entries:
USER SSLSERV SSLSERV 256M 2G G
INCLUDE TCPCMSU
POSIXINFO UID 7 GNAME security
IUCV ALLOW
OPTION ACCT MAXCONN 1024 QUICKDSP SVMSTAT APPLMON
NAMESAVE TCPIP
SHARE RELATIVE 3000
LINK 5VMTCP40 491 491 RR
LINK 5VMTCP40 492 492 RR
LINK TCPMAINT 591 591 RR
LINK TCPMAINT 592 592 RR
LINK TCPMAINT 198 198 RR
MDISK 191 3390 9021 001 540RES MR RSSLSERV WSSLSERV MSSLSERV
USER SSLDCSSM LBYONLY 32M 64M GE
INCLUDE TCPCMSU
OPTION QUICKDSP SVMSTAT
LOGONBY TCPMAINT GSKADMIN
NAMESAVE TCPIP
LINK 5VMTCP40 0491 0491 RR
LINK 5VMTCP40 0492 0492 RR
LINK TCPMAINT 0591 0591 RR
LINK TCPMAINT 0592 0592 RR
LINK TCPMAINT 0198 0198 RR
MDISK 0191 3390 09086 00010 540RES MR READ WRITE MULTI
The issue continues to be the following error when TCPIP starts:
DMSACR1184E Directory VMSYS:TCPMAINT.SSLPOOL_SSL not found or you are not
authorized for it
DTCRUN1001E "VMLINK .DIR VMSYS:TCPMAINT.SSLPOOL_SSL <. A FORCERW>" failed
with return code 2100
Thanks,
Dave
On Tue, 2010-11-23 at 10:57 -0500, James Poirier wrote:
Dave,
The following link describes the steps you need to do in addition to
what the SSLPOOL PLAN option describes.
http://www.vm.ibm.com/related/tcpip/tcspeins.html
Jim P.
On 11/23/10 10:46 AM, "Dave Keeton" <[email protected]> wrote:
Thanks, Mike. I tried to restart using that option, but it complained that
a $RESTART file was not found.
I was able to run service again like last time, just using SERVICE ALL and
it appeared to complete successfully.
My problem now is deciphering exactly WHAT needs to be changed in SSL to
get it working again. I ran SSLPOOL with the PLAN option and got a list of
changes that needed to be made - made them, but I still get errors when
TCPIP starts:
DTCRUN1022I Console log will be sent to default owner ID: TCPMAINT
DMSACR1184E Directory VMSYS:TCPMAINT.SSLPOOL_SSL not found or you are not
authorized for it
DTCRUN1001E "VMLINK .DIR VMSYS:TCPMAINT.SSLPOOL_SSL <. A FORCERW>" failed
with return code 2100
DTCRUN1099E Server not started - correct problem and retry
I even went so far as to roll through a refresh of the BFS filespaces
found here: http://www.vm.ibm.com/related/tcpip/tcsslini.html
Dave
On Mon, 2010-11-22 at 16:57 -0600, Mike Walter wrote:
Dave,
Issue: HELP VMSES SERVICE
then look for the "RESTART" doc and give it a try.
Trying=Learning. :-)
(Sometimes the Trying="Learning hard way", but this should not be one of
those cases)
Mike Walter
Aon Corporation
The opinions expressed herein are mine alone, not my employer's.
"Dave Keeton" <[email protected]>
Sent by: "The IBM z/VM Operating System" <[email protected]>
11/22/2010 04:47 PM
Please respond to
"The IBM z/VM Operating System" <[email protected]>
To
[email protected]
cc
Subject
Question about SSL Service
I applied the PTFs UK59535 & UM33112 (as designated in PK97437) for z/VM
5.4 SSL today, but ran PUT2PROD before reading all the instructions as I
should have. The USER DIRECT entries were not present when I ran it (I
know, boneheaded maneuver). As a result, I believe the step for creating
the SFS entries didn't get completed.
Can I run SERVICE again and will it create the VMSYS:TCPMAINT.SSLPOOL_SSL
filepool and subsequent enrollment, or do I need to do more research on
creating this manually?
Thanks,
Dave Keeton
The information contained in this e-mail and any accompanying documents
may contain information that is confidential or otherwise protected from
disclosure. If you are not the intended recipient of this message, or if
this message has been addressed to you in error, please immediately alert
the sender by reply e-mail and then delete this message, including any
attachments. Any dissemination, distribution or other use of the contents
of this message by anyone other than the intended recipient is strictly
prohibited. All messages sent to and from this e-mail address may be
monitored as permitted by applicable law and regulations to ensure
compliance with our internal policies and to protect our business. E-mails
are not secure and cannot be guaranteed to be error free as they can be
intercepted, amended, lost or destroyed, or contain viruses. You are
deemed to have accepted these risks if you communicate with us by e-mail.
--
Dave Keeton
Systems Programmer
Mainframe Computing Svcs
Oregon State Data Center
Office: (503) 373-0832
The information contained in this e-mail and any accompanying documents may
contain information that is confidential or otherwise protected from
disclosure. If you are not the intended recipient of this message, or if this
message has been addressed to you in error, please immediately alert the sender
by reply e-mail and then delete this message, including any attachments. Any
dissemination, distribution or other use of the contents of this message by
anyone other than the intended recipient is strictly prohibited. All messages
sent to and from this e-mail address may be monitored as permitted by
applicable law and regulations to ensure compliance with our internal policies
and to protect our business. E-mails are not secure and cannot be guaranteed to
be error free as they can be intercepted, amended, lost or destroyed, or
contain viruses. You are deemed to have accepted these risks if you communicate
with us by e-mail.
