Re: How do I see the end date for a certificate or key on z/OS 1.13 Tectia 6.4?

2016-09-21 Thread Charles Mills 
I just looked at my code. There is no basic difference between the logic for a 
gskkyman key database name or RACF keyring name. If a product will accept one 
it should accept the other. You just need to be able to tell it "no stash file" 
-- and hopefully it is not doing something stupid like making sure the first 
character of the name is a slash.

Charles

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Charles Mills
Sent: Tuesday, September 20, 2016 1:12 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: How do I see the end date for a certificate or key on z/OS 1.13 
Tectia 6.4?



I apologize - I have not been following this thread. From a programming point 
of view, USS and RACF managed certificates are pretty compatible. I am 
travelling but can get you more info if you need when I land.


CharlesSent from a mobile; please excuse the brevity

 Original message 
From: "Roach, Dennis" 
Date: 9/20/16  9:13 AM  (GMT-08:00)
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: How do I see the end date for a certificate or key on z/OS 1.13 
Tectia 6.4? 

Thanks for the replies. 
Unfortunately, the product was installed to use USS hostkeys files, with the 
user keys under the user's home directory, not RACF.
Since the product was ported from the UNIX/Linex/Windows environment, I have 
seen no documentation of it being able to use RACF.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: How do I see the end date for a certificate or key on z/OS 1.13 Tectia 6.4?

2016-09-20 Thread Charles Mills 


I apologize - I have not been following this thread. From a programming point 
of view, USS and RACF managed certificates are pretty compatible. I am 
travelling but can get you more info if you need when I land.


CharlesSent from a mobile; please excuse the brevity

 Original message 
From: "Roach, Dennis"  
Date: 9/20/16  9:13 AM  (GMT-08:00) 
To: IBM-MAIN@LISTSERV.UA.EDU 
Subject: Re: How do I see the end date for a certificate or key on z/OS 1.13 
Tectia 6.4? 

Thanks for the replies. 
Unfortunately, the product was installed to use USS hostkeys files, with the 
user keys under the user's home directory, not RACF.
Since the product was ported from the UNIX/Linex/Windows environment, I have 
seen no documentation of it being able to use RACF.

For my certificates under RACF, I already have a report.

Dennis Roach, CISSP, PMP
AIG
IAM Access Administration – Consumer | Identity & Access Management

2929 Allen Parkway, America Building, 3rd Floor | Houston, TX 77019
Phone:  713-831-8799

dennis.ro...@aig.com | www.aig.com 

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Elardus Engelbrecht
Sent: Tuesday, September 20, 2016 2:06 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: How do I see the end date for a certificate or key on z/OS 1.13 
Tectia 6.4?

Reposting after some RTFM about Tectia and ssh-certview ;-)

That is an interesting product, not too bad. (www.ssh.com)

Roach, Dennis wrote:

>>We need to verify that our certificates are not about to expire. I tried 
>>ssh-certview and get the following messages:
>>1.   ssh2/id_rsa_2048_a.pub: Failed to open `.ssh2/id_rsa_2048_a.pub': 
>>Character set conversions not initialized: cannot convert from 'IBM-1047' to 
>>'ISO8859-1'.
>>2.   ssh-certview: Failed to autodetect the object type.
>>3.   Trying to decode the public key file - failed.
>>Anyone have an idea?

Can you perhaps post just the first two or three lines of that file? Perhaps 
the encoding scheme is not correct or you need some parameter to correctly read 
 that file.

You can place that file in a dataset and then try out RACF to check that file's 
content.

RACDCERT CHECKCERT()

Alternatively, can you contact the vendor about this?

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: How do I see the end date for a certificate or key on z/OS 1.13 Tectia 6.4?

2016-09-20 Thread Charles Mills 


Gskkyman will export it as a file.


CharlesSent from a mobile; please excuse the brevity

 Original message 
From: Phil Smith  
Date: 9/20/16  10:31 AM  (GMT-08:00) 
To: IBM-MAIN@LISTSERV.UA.EDU 
Subject: Re: How do I see the end date for a certificate or key on z/OS 1.13 
Tectia 6.4? 

>Unfortunately, the product was installed to use USS hostkeys files, with the 
>user keys under the user's home directory, not RACF.
>Since the product was ported from the UNIX/Linex/Windows environment, I have 
>seen no documentation of it being able to use RACF.

If you mean it's in a gskkyman database, go into the database, enter option 2 
("Manage Certificates"), select the certificate, then enter 1 ("Show 
certificate information") and it will show the dates, among other things.

If you still have the cert as a file, copy it down to a workstation and feed it 
to https://www.sslshopper.com/certificate-decoder.html or any of a myriad of 
other certificate examiners (google "examine certificate" to find more).
--
...phsiii

Phil Smith III
Senior Architect & Product Manager, Mainframe & Enterprise
Master Technologist
HPE Data Security

phs...@hpe.com<mailto:phs...@hpe.com>
T 703-476-4511
M 703-568-6662
Hewlett Packard Enterprise
Herndon, VA

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: How do I see the end date for a certificate or key on z/OS 1.13 Tectia 6.4?

2016-09-20 Thread Cieri, Anthony 
If you have the certificate file, you can simply copy it to temporary 
directory on any Windows based PC.  Rename the file to have a .crt extension 
(you will have to click OK to the warning message). Then double-click on the 
file. Widows will display the certificate attributes, including the start and 
end dates!!! Discard when finished!!

HTH
Tony


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Phil Smith
Sent: Tuesday, September 20, 2016 1:31 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: How do I see the end date for a certificate or key on z/OS 1.13 
Tectia 6.4?

>Unfortunately, the product was installed to use USS hostkeys files, with the 
>user keys under the user's home directory, not RACF.
>Since the product was ported from the UNIX/Linex/Windows environment, I have 
>seen no documentation of it being able to use RACF.

If you mean it's in a gskkyman database, go into the database, enter option 2 
("Manage Certificates"), select the certificate, then enter 1 ("Show 
certificate information") and it will show the dates, among other things.

If you still have the cert as a file, copy it down to a workstation and feed it 
to https://www.sslshopper.com/certificate-decoder.html or any of a myriad of 
other certificate examiners (google "examine certificate" to find more).
--
...phsiii

Phil Smith III
Senior Architect & Product Manager, Mainframe & Enterprise Master Technologist 
HPE Data Security

phs...@hpe.com<mailto:phs...@hpe.com>
T 703-476-4511
M 703-568-6662
Hewlett Packard Enterprise
Herndon, VA

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: How do I see the end date for a certificate or key on z/OS 1.13 Tectia 6.4?

2016-09-20 Thread Phil Smith 
>Unfortunately, the product was installed to use USS hostkeys files, with the 
>user keys under the user's home directory, not RACF.
>Since the product was ported from the UNIX/Linex/Windows environment, I have 
>seen no documentation of it being able to use RACF.

If you mean it's in a gskkyman database, go into the database, enter option 2 
("Manage Certificates"), select the certificate, then enter 1 ("Show 
certificate information") and it will show the dates, among other things.

If you still have the cert as a file, copy it down to a workstation and feed it 
to https://www.sslshopper.com/certificate-decoder.html or any of a myriad of 
other certificate examiners (google "examine certificate" to find more).
--
...phsiii

Phil Smith III
Senior Architect & Product Manager, Mainframe & Enterprise
Master Technologist
HPE Data Security

phs...@hpe.com
T 703-476-4511
M 703-568-6662
Hewlett Packard Enterprise
Herndon, VA

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: How do I see the end date for a certificate or key on z/OS 1.13 Tectia 6.4?

2016-09-20 Thread Roach, Dennis 
Thanks for the replies. 
Unfortunately, the product was installed to use USS hostkeys files, with the 
user keys under the user's home directory, not RACF.
Since the product was ported from the UNIX/Linex/Windows environment, I have 
seen no documentation of it being able to use RACF.

For my certificates under RACF, I already have a report.

Dennis Roach, CISSP, PMP
AIG
IAM Access Administration – Consumer | Identity & Access Management

2929 Allen Parkway, America Building, 3rd Floor | Houston, TX 77019
Phone:  713-831-8799

dennis.ro...@aig.com | www.aig.com 

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Elardus Engelbrecht
Sent: Tuesday, September 20, 2016 2:06 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: How do I see the end date for a certificate or key on z/OS 1.13 
Tectia 6.4?

Reposting after some RTFM about Tectia and ssh-certview ;-)

That is an interesting product, not too bad. (www.ssh.com)

Roach, Dennis wrote:

>>We need to verify that our certificates are not about to expire. I tried 
>>ssh-certview and get the following messages:
>>1.   ssh2/id_rsa_2048_a.pub: Failed to open `.ssh2/id_rsa_2048_a.pub': 
>>Character set conversions not initialized: cannot convert from 'IBM-1047' to 
>>'ISO8859-1'.
>>2.   ssh-certview: Failed to autodetect the object type.
>>3.   Trying to decode the public key file - failed.
>>Anyone have an idea?

Can you perhaps post just the first two or three lines of that file? Perhaps 
the encoding scheme is not correct or you need some parameter to correctly read 
 that file.

You can place that file in a dataset and then try out RACF to check that file's 
content.

RACDCERT CHECKCERT()

Alternatively, can you contact the vendor about this?

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: How do I see the end date for a certificate or key on z/OS 1.13 Tectia 6.4?

2016-09-20 Thread Elardus Engelbrecht 
Reposting after some RTFM about Tectia and ssh-certview ;-)

That is an interesting product, not too bad. (www.ssh.com)

Roach, Dennis wrote:

>>We need to verify that our certificates are not about to expire. I tried 
>>ssh-certview and get the following messages:
>>1.   ssh2/id_rsa_2048_a.pub: Failed to open `.ssh2/id_rsa_2048_a.pub': 
>>Character set conversions not initialized: cannot convert from 'IBM-1047' to 
>>'ISO8859-1'.
>>2.   ssh-certview: Failed to autodetect the object type.
>>3.   Trying to decode the public key file - failed.
>>Anyone have an idea?

Can you perhaps post just the first two or three lines of that file? Perhaps 
the encoding scheme is not correct or you need some parameter to correctly read 
 that file.

You can place that file in a dataset and then try out RACF to check that file's 
content.

RACDCERT CHECKCERT()

Alternatively, can you contact the vendor about this?

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: How do I see the end date for a certificate or key on z/OS 1.13 Tectia 6.4?

2016-09-19 Thread Elardus Engelbrecht 
Roach, Dennis wrote:

>We need to verify that our certificates are not about to expire. I tried 
>ssh-certview and get the following messages:
>1.   ssh2/id_rsa_2048_a.pub: Failed to open `.ssh2/id_rsa_2048_a.pub': 
>Character set conversions not initialized: cannot convert from 'IBM-1047' to 
>'ISO8859-1'.
>2.   ssh-certview: Failed to autodetect the object type.
>3.   Trying to decode the public key file - failed.
>Anyone have an idea?

A$$uming your certs are in RACF, you could try out J.O. Skip Robinson's 
excellent suggestion. (RACDCERT CERTAUTH or
RACDCERT SITE or RACDCERT ID(user-id) )

From z/OS v2.1, there is a Health Check where you can see all Certificates soon 
to expire in 60 days. 

If there are any such certs, you will see IRRH276E.

Sorry, but I am for now not familiar with ssh-certview. Something for me to 
RTFM about... ;-)

PS: What is 'Tectia 6.4'?

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: How do I see the end date for a certificate or key on z/OS 1.13 Tectia 6.4?

2016-09-19 Thread Jesse 1 Robinson 
Try this TSO command. You'll get more data than you want, but somewhere in 
there should be in the info you're after. 

RACDCERT list certauth

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-302-7535 Office
robin...@sce.com


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Roach, Dennis
Sent: Monday, September 19, 2016 7:06 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):How do I see the end date for a certificate or key on z/OS 
1.13 Tectia 6.4?

We need to verify that our certificates are not about to expire. I tried 
ssh-certview and get the following messages:
1.   ssh2/id_rsa_2048_a.pub: Failed to open `.ssh2/id_rsa_2048_a.pub': 
Character set conversions not initialized: cannot convert from 'IBM-1047' to 
'ISO8859-1'.
2.   ssh-certview: Failed to autodetect the object type.
3.   Trying to decode the public key file - failed.
Anyone have an idea?


Dennis Roach, CISSP, PMP
AIG
IAM Access Administration - Consumer | Identity & Access Management

2929 Allen Parkway, America Building, 3rd Floor | Houston, TX 77019
Phone:  713-831-8799

dennis.ro...@aig.com<mailto:dennis.ro...@aig.com> | 
www.aig.com<http://www.aig.com/>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

How do I see the end date for a certificate or key on z/OS 1.13 Tectia 6.4?

2016-09-19 Thread Roach, Dennis 
We need to verify that our certificates are not about to expire. I tried 
ssh-certview and get the following messages:
1.   ssh2/id_rsa_2048_a.pub: Failed to open `.ssh2/id_rsa_2048_a.pub': 
Character set conversions not initialized: cannot convert from 'IBM-1047' to 
'ISO8859-1'.
2.   ssh-certview: Failed to autodetect the object type.
3.   Trying to decode the public key file - failed.
Anyone have an idea?


Dennis Roach, CISSP, PMP
AIG
IAM Access Administration - Consumer | Identity & Access Management

2929 Allen Parkway, America Building, 3rd Floor | Houston, TX 77019
Phone:  713-831-8799

dennis.ro...@aig.com | 
www.aig.com


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN