Re: Firefox and HMC self-signed cert
On 9/2/23 11:41 AM, Peter Sylvester wrote: Hi, Hi, I do not really know what I am trying to explain, but anyway. I've found that sharing what I understand something to be beneficial for multiple reasons: 1) articulating it often helps clarify what I'm trying to articulate 2) it gives others more in the know an opportunity to see what I'm thinking and hopefully correct me if I'm wrong Ibm has made a kind of minimal security approach to access an HMCusing https, i.e. a self signed cert. It's not just IBM. Using self-signed certificates is sort of the minimum bar for entering the TLS / encrypted HTTPS ecosystem. A minimum if you will. Hopefully there are supported and easily accessible ways to change and use the TLS certificate provided by the end user and / or (re)generate a new self-signed certificate. I'm simplifying by eliding the associated key which should also be changed from factory default. If TLS / encrypted HTTPS is enabled by default -- something that I would hope is the case in 2023 -- I hope that it is generated upon first power up. As in if it doesn't exist (in the distribution image) one is automatically generated on IPL. Ibm also documents how one can change this,i.e. generate a key pair,, a csr, get certified by "some" CA, then upload the key and cert. Example uses openssl on windows :-) :-) Who cares More people than you might realize. Probably for different reasons. You need to have the cert chain as trusted in your browser, so far, pure technical. which "PKI" to select? The global web pki, probably not, at least not necessary/, the HMCis in some intranet, or so. There is a decent chance that you can't use a public CA / public PKI because of restrictions on externally unique names. This extends into problems with private IP addresses. A company PKI (intranet). Yes, if it exists. The first thing iIMO is to find out if there is a company PKI or at least policy etc. Agreed. Tom went for the "minimal" solution, create a minimal dedicated "PKI" : :-) Technically, take whatever vanilla pc, create a root, create a cert, take the server key end cert and CA cet to an USB and the delete the content of the PC. Lifetime long enough so either the HMC or you can retire :-) Well, I'm provoking. Agreed, some technical minutia not withstanding. The CA doesn't need and shouldn't have access to the HMC's key. On linux you could use "script" to have log. Upload the server cert/key to the HMC, and delete them. Ideally, the HMC will (re)generate it's own key and CSR. Take /just/ the CSR and have it signed by the CA. install the CA cert on any PC that needs access to the HMC. Yep. This is what Tom has done, at least some parts. Thus, there is only one certificate created by the CA. Technically, there are two, the CA's (self-signed) certificate used to sign CSRs and the HMC's cert. All this documented but maybe not necessarily using the IETF text as template, it is very detailed, and if you understand it at once, I'll kill myself :-) or not. Ya I've been less than thrilled with IETF working groups more times than I can remember. The process leaves me wanting. Anyway, validate the procedure with the company CISO. Ya. That could be an interesting conversation. Probably educational. What's better overall security posture? - Using self-signed certificates and teaching employees to ignore certificate warnings? - Installing a bunch of certificates in the client systems? - Installing one certificate from the Enterprise CA in the client systems? - Exposing internal system names via Certificate Transparency when using a public CA / public PKI? If the company has a "company" PKI, and is able to make server certs, well, do this. I largely agree. But depending on how old said PKI is, it might not generate certificates up to contemporary standards. One usual question? Who is generating the server private key? IBM could have made an HMC function to generate it and create a CSR to download btw. That's a very good question. Have fun :-) You too. -- Grant. . . . unix || die -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
W dniu 02.09.2023 o 18:41, Peter Sylvester pisze: Hi, I do not really know what I am trying to explain, but anyway. Ibm has made a kind of minimal security approach to access an HMCusing https, i.e. a self signed cert. Ibm also documents how one can change this,i.e. generate a key pair,, a csr, get certified by "some" CA, then upload the key and cert. Example uses openssl on windows :-) Who cares You need to have the cert chain as trusted in your browser, so far, pure technical. which "PKI" to select? The global web pki, probably not, at least not necessary/, the HMCis in some intranet, or so. A company PKI (intranet). Yes, if it exists. The first thing iIMO is to find out if there is a company PKI or at least policy etc. Tom went for the "minimal" solution, create a minimal dedicated "PKI" : Technically, take whatever vanilla pc, create a root, create a cert, take the server key end cert and CA cet to an USB and the delete the content of the PC. Lifetime long enough so either the HMC or you can retire :-) Well, I'm provoking. On linux you could use "script" to have log. Upload the server cert/key to the HMC, and delete them. install the CA cert on any PC that needs access to the HMC. This is what Tom has done, at least some parts. Thus, there is only one certificate created by the CA. All this documented but maybe not necessarily using the IETF text as template, it is very detailed, and if you understand it at once, I'll kill myself :-) or not. Anyway, validate the procedure with the company CISO. If the company has a "company" PKI, and is able to make server certs, well, do this. One usual question? Who is generating the server private key? IBM could have made an HMC function to generate it and create a CSR to download btw. Actually I'm aware of this technical possibility. However using my own CA is not allowed. In the past (and in other shop) I did create CA in z/OS sandbox and used it for any need. However it was long time before security folks "invented" and took the management of internal company CA. In the parallel I'm trying to convince some folks to request for the certificate signed by company CA. Regards -- Radoslaw Skorupka Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
Hi, I do not really know what I am trying to explain, but anyway. Ibm has made a kind of minimal security approach to access an HMCusing https, i.e. a self signed cert. Ibm also documents how one can change this,i.e. generate a key pair,, a csr, get certified by "some" CA, then upload the key and cert. Example uses openssl on windows :-) Who cares You need to have the cert chain as trusted in your browser, so far, pure technical. which "PKI" to select? The global web pki, probably not, at least not necessary/, the HMCis in some intranet, or so. A company PKI (intranet). Yes, if it exists. The first thing iIMO is to find out if there is a company PKI or at least policy etc. Tom went for the "minimal" solution, create a minimal dedicated "PKI" : Technically, take whatever vanilla pc, create a root, create a cert, take the server key end cert and CA cet to an USB and the delete the content of the PC. Lifetime long enough so either the HMC or you can retire :-) Well, I'm provoking. On linux you could use "script" to have log. Upload the server cert/key to the HMC, and delete them. install the CA cert on any PC that needs access to the HMC. This is what Tom has done, at least some parts. Thus, there is only one certificate created by the CA. All this documented but maybe not necessarily using the IETF text as template, it is very detailed, and if you understand it at once, I'll kill myself :-) or not. Anyway, validate the procedure with the company CISO. If the company has a "company" PKI, and is able to make server certs, well, do this. One usual question? Who is generating the server private key? IBM could have made an HMC function to generate it and create a CSR to download btw. Have fun Peter -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
Unfortunately SE "single object operations" is not the only case when port 99xx is being used. I can't check it now, but I'm pretty sure there are more features using new window and new port. Sometimes the port is reused, so every new warning reduces the possibility of next one. -- Radoslaw Skorupka Lodz, Poland W dniu 30.08.2023 o 21:50, Tom Brennan pisze: In my limited experience I logon to the HMC port 443 as usual, but then a switch to single-object-operations redirects me to the same URL but with :995x appended. Can I assume this switch happens when you go to SOO or perhaps do something else requiring the SE? Wild guessing: If the OS on this HMC runs something like Apache, then the httpd parms might have VirtualHost sections, each which could contain a different port number. The VirtualHost section can also specify what certificate to use, so potentially, each port could be using a different certificate, and then yeah, I could see this problem happening and dependent on port. Sorry though, I don't know enough about browsers to know if there is a solution there or not. On 8/30/2023 11:42 AM, Radoslaw Skorupka wrote: Unfortunately no. It *is* matter of ports. I add the self-signed certificate whenever I connects first time (meaning well known appliances). And further connects work without warning. And of course the certificate is on the list of server certificates. However there are many entries for same IP with different port values. And every new port means warning. I would like to have some generic entry like https://10.10.10.10:* or https://10.10.10.10:1-1 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
In my limited experience I logon to the HMC port 443 as usual, but then a switch to single-object-operations redirects me to the same URL but with :995x appended. Can I assume this switch happens when you go to SOO or perhaps do something else requiring the SE? Wild guessing: If the OS on this HMC runs something like Apache, then the httpd parms might have VirtualHost sections, each which could contain a different port number. The VirtualHost section can also specify what certificate to use, so potentially, each port could be using a different certificate, and then yeah, I could see this problem happening and dependent on port. Sorry though, I don't know enough about browsers to know if there is a solution there or not. On 8/30/2023 11:42 AM, Radoslaw Skorupka wrote: Unfortunately no. It *is* matter of ports. I add the self-signed certificate whenever I connects first time (meaning well known appliances). And further connects work without warning. And of course the certificate is on the list of server certificates. However there are many entries for same IP with different port values. And every new port means warning. I would like to have some generic entry like https://10.10.10.10:* or https://10.10.10.10:1-1 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
W dniu 29.08.2023 o 21:34, Grant Taylor pisze: On 8/29/23 12:13 PM, Tom Brennan wrote: I trust your certificate experience. But let's get back to the HMC issue for a second. So the only secure way to get rid of the Firefox warnings and red messages is to use an externally-signed certificate (paid for), and I think that means a manual process to update the HMC web cert/key every year. Or is there an easier way? Can you bust the HMC down to use unencrypted HTTP instead of encrypted HTTPS? -- It would get rid of the red bar. }:-) If you want encrypted HTTPS, you will need a certificate that the client you are using trusts. Where that certificate comes from is up to you / your organization. http (not https) connection was possible until HMC 1.8.x - last OS/2 based. Since HMC 2.9.x (z9) and linux-based HMCs the only option is https. BTW: Nowadays it is very hard to connect to such old HMC - because old encryption suites are no longer supported by any current browser. Even in "I understand the risk" mode. The only solution is to use backlevel workstation with backlevel browser and backlevel java. However this is completely different story. My story is I *cannot* change the certificate on some machine. It is not technical, but organizational issue and that's all I can say about it. Of course I can live with recurring warnings, but it is far from convenience and somehow dangerous - that tame me to involuntarily accept such warnings. :-( -- Radoslaw Skorupka Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
Unfortunately no. It *is* matter of ports. I add the self-signed certificate whenever I connects first time (meaning well known appliances). And further connects work without warning. And of course the certificate is on the list of server certificates. However there are many entries for same IP with different port values. And every new port means warning. I would like to have some generic entry like https://10.10.10.10:* or https://10.10.10.10:1-1 -- Radoslaw Skorupka Lodz, Poland W dniu 29.08.2023 o 00:38, Peter Vels pisze: It's not about the port. You need to add the self-signed certificate to Firefox’s list of trusted certificates. On Tue, 29 Aug 2023 at 05:50, Radoslaw Skorupka < 0471ebeac275-dmarc-requ...@listserv.ua.edu> wrote: Disclaimer: I know it is much better idea to use "regular" certificate signed by CA instead of self-signed one. However I have to work on some HMC which use self-signed certificate. So far, so good. When I connect first time I get warning message on my Firefox browser. I accept the risk and further connections do not raise an alarm. However some new windows use HMC address and different port, like 99xx. Everytime a new port is used the warning is issued again and again. Question: is there any method to customize Firefox to accept the same certificate coming from same HMC address on *any port*? -- Radoslaw Skorupka Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
On 8/30/23 12:42 AM, Tom Brennan wrote: I've been told by IBMer's not to talk about such things, so I need to drop out now. Chuckle. Fair enough. I'm just talking about a special purpose Linux box from a vendor to run a vendor application. ;-) I hoist my coffee to you. Have a good day. -- Grant. . . . unix || die -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
On 8/29/23 9:49 PM, Tom Brennan wrote: Just to be clear, I'm not talking about doing anything to the HMC that isn't sanctioned by IBM. I assumed as much. And pardon me if you already know this, but HMC's are really locked down. Well ... IBM took a reasonable pass at making the older HMCs that I've worked on recently take a little bit of effort to get in and do things. For example, no command line access even when standing at the machine. I was poking around on $WORK's older HMCs three weeks ago and, as a well seasoned Linux administrator, found it not quite trivial to get into the underlying Linux OS and do whatever I wanted to. I'll just say that if you're familiar with how Linux boots and what different things do, it's one transient non-persistent edit away from dropping you at a root shell prompt where you can make any change that you want to on the system. Obviously this is not sanctioned by IBM. I'm dealing with hardware that is so far out of support that it's not even funny. But under the hood, it's Linux that looks STRIKINGLY like a heavily modified Red Hat / CentOS 6.x generation with all visible branding removed. I've since had someone tell me that there is a method to get a normal shell on an HMC. I speculate it's reminiscent of padmin on VIOS where you log in for vtmenu and then do something not well documented. A quick web search reveals that there is a root account with a less well known password. When you're willing to do unsupported things on hardware that isn't capable of being supported, you can do some amazing things if you want to. }:-) PSA, the HMC that I looked at used file system labels to identify which file system was to be mounted where. So ... which file system with the label of "/" is mounted when there are two of them? }:-) -- Grant. . . . unix || die -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
I've been told by IBMer's not to talk about such things, so I need to drop out now. On 8/29/2023 10:05 PM, Grant Taylor wrote: On 8/29/23 9:49 PM, Tom Brennan wrote: Just to be clear, I'm not talking about doing anything to the HMC that isn't sanctioned by IBM. I assumed as much. And pardon me if you already know this, but HMC's are really locked down. Well ... IBM took a reasonable pass at making the older HMCs that I've worked on recently take a little bit of effort to get in and do things. For example, no command line access even when standing at the machine. I was poking around on $WORK's older HMCs three weeks ago and, as a well seasoned Linux administrator, found it not quite trivial to get into the underlying Linux OS and do whatever I wanted to. I'll just say that if you're familiar with how Linux boots and what different things do, it's one transient non-persistent edit away from dropping you at a root shell prompt where you can make any change that you want to on the system. Obviously this is not sanctioned by IBM. I'm dealing with hardware that is so far out of support that it's not even funny. But under the hood, it's Linux that looks STRIKINGLY like a heavily modified Red Hat / CentOS 6.x generation with all visible branding removed. I've since had someone tell me that there is a method to get a normal shell on an HMC. I speculate it's reminiscent of padmin on VIOS where you log in for vtmenu and then do something not well documented. A quick web search reveals that there is a root account with a less well known password. When you're willing to do unsupported things on hardware that isn't capable of being supported, you can do some amazing things if you want to. }:-) PSA, the HMC that I looked at used file system labels to identify which file system was to be mounted where. So ... which file system with the label of "/" is mounted when there are two of them? }:-) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
Just to be clear, I'm not talking about doing anything to the HMC that isn't sanctioned by IBM. And pardon me if you already know this, but HMC's are really locked down. For example, no command line access even when standing at the machine. On 8/29/2023 6:30 PM, Grant Taylor wrote: On 8/29/23 6:39 PM, Tom Brennan wrote: It's those last couple of steps that I assume would need to be done manually on an HMC via GUI. I have no idea if IBM offers a supported solution or not. I would waver that there are some unsupported solutions that IBM would wag a finger at you for doing. But who's going to do that on a piece of equipment supporting a mainframe? The three things that come to mind in the order of most benign to most radical are: - Script interactions across the HTTP(S) ports pretending to be a user walking through the motions with the necessary GET / POST / etc. method calls. - Enable -- what I assume is unsupported SSH access to an HMC and remotely run commands to manage certificates. - Really throw caution to the wind and install an ACME client on the HMC and get it some sort of Internet connectivity (likely via proxy). The first is probably the only thing that IBM would say doesn't invalidate support / warranty. Or maybe IBM has addressed this and provides an API or similar? I hope so. But I'm not holding my breath. I never asked, possibly because every HMC I've ever touched, whether mainframe or peripheral, came up with a self-signed key warning. Ya Pardon while I go over into a corner and cry. But in their defense, most are only accessible in the datacenter or behind a difficult-to-access jump box. I've had the broken TLS cert cause problems, particularly when Java gets involved. I've found it far better to make the client system be as happy with the cert as possible usually yields the best / most long term results. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
On 8/29/23 6:39 PM, Tom Brennan wrote: It's those last couple of steps that I assume would need to be done manually on an HMC via GUI. I have no idea if IBM offers a supported solution or not. I would waver that there are some unsupported solutions that IBM would wag a finger at you for doing. But who's going to do that on a piece of equipment supporting a mainframe? The three things that come to mind in the order of most benign to most radical are: - Script interactions across the HTTP(S) ports pretending to be a user walking through the motions with the necessary GET / POST / etc. method calls. - Enable -- what I assume is unsupported SSH access to an HMC and remotely run commands to manage certificates. - Really throw caution to the wind and install an ACME client on the HMC and get it some sort of Internet connectivity (likely via proxy). The first is probably the only thing that IBM would say doesn't invalidate support / warranty. Or maybe IBM has addressed this and provides an API or similar? I hope so. But I'm not holding my breath. I never asked, possibly because every HMC I've ever touched, whether mainframe or peripheral, came up with a self-signed key warning. Ya Pardon while I go over into a corner and cry. But in their defense, most are only accessible in the datacenter or behind a difficult-to-access jump box. I've had the broken TLS cert cause problems, particularly when Java gets involved. I've found it far better to make the client system be as happy with the cert as possible usually yields the best / most long term results. -- Grant. . . . unix || die -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
I looked at letsencrypt and zerossl and decided on zero because I liked the support, the 1 year certs, and their API. The API supports ACME but hey, I call myself a programmer so I rolled my own. I use their email authentication through an automated method I created, but they do have DNS record authentication too. And of course a script runs on my server to put the new certs in place and reload httpd. It's those last couple of steps that I assume would need to be done manually on an HMC via GUI. Or maybe IBM has addressed this and provides an API or similar? I never asked, possibly because every HMC I've ever touched, whether mainframe or peripheral, came up with a self-signed key warning. But in their defense, most are only accessible in the datacenter or behind a difficult-to-access jump box. On 8/29/2023 12:38 PM, Grant Taylor wrote: Let's Encrypt supports multiple authentication methods. One of which is DNS based and can be used to authenticate an FQDN that can be resolved via the public DNS tree. This means that you can use an ACME client which supports DNS authentication -- there are multiple -- to request a certificate for an FQDN that is not accessible from the Internet. Ergo it is possible to get a certificate that is signed by Let's Encrypt, a well known CA, which you can then install in your HMC. However, this will become labor intensive as you will need to do this roughly every 90 days. You could also play other games wherein you have an Internet accessible web server running a fully automated ACME client. Have it act as a proxy of sorts to provide a certificate and key for use on the HMC. -- Is this advisable, nope, not at all. Would it work, I think so. I'd bet a fast food meal that it would work. Aside: What is a "real CA" other than one that has their root certificate(s) installed in clients? }:-) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
On 8/29/23 3:38 PM, Charles Mills wrote: Not true for a CA root. Thought experiment: if DigiCert were to misplace their root private key, would you now be unable to log into amazon.com? (There would be very disruptive long-term implications, but things would continue to work in the medium term even without the private key.) The private key is necessary to be able to*issue* certificates. Tom's scenario, while it may have some other shortcomings, would work exactly as Tom supposes. Fair enough. I was thinking about a web / email / etc. server not being able to provide encrypted connections without the key being accessible. Grant. . . . -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
> The certificate is only good if you have the associated key. > If you don't have the key, the certificate isn't worth the disk space > that it takes up. Not true for a CA root. Thought experiment: if DigiCert were to misplace their root private key, would you now be unable to log into amazon.com? (There would be very disruptive long-term implications, but things would continue to work in the medium term even without the private key.) The private key is necessary to be able to *issue* certificates. Tom's scenario, while it may have some other shortcomings, would work exactly as Tom supposes. Charles- On Tue, 29 Aug 2023 14:40:19 -0500, Grant Taylor wrote: >On 8/29/23 2:32 PM, Tom Brennan wrote: >> Sorry - not clear. What I meant was that in this case I ran openssl on >> Linux, not on Windows as Charles thought. > >Fair enough. > >> What if I deleted the CA key file after creating the one web cert I >> needed? That would probably solve the security issue Charles mentioned, >> but then I would need a long-term web cert, maybe not possible anymore >> with the browser cap you mentioned. > >That's not going to work the way you want. > >The certificate is only good if you have the associated key. > >If you don't have the key, the certificate isn't worth the disk space >that it takes up. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
On 8/29/23 2:32 PM, Tom Brennan wrote: Sorry - not clear. What I meant was that in this case I ran openssl on Linux, not on Windows as Charles thought. Fair enough. What if I deleted the CA key file after creating the one web cert I needed? That would probably solve the security issue Charles mentioned, but then I would need a long-term web cert, maybe not possible anymore with the browser cap you mentioned. That's not going to work the way you want. The certificate is only good if you have the associated key. If you don't have the key, the certificate isn't worth the disk space that it takes up. Grant. . . . -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
On 8/29/23 12:58 PM, Charles Mills wrote: https://letsencrypt.org/ provides free automated "real CA" certificates. IIRC they only support requests made using the "ACME" automation protocol. Will the HMC support that? Let's Encrypt supports multiple authentication methods. One of which is DNS based and can be used to authenticate an FQDN that can be resolved via the public DNS tree. This means that you can use an ACME client which supports DNS authentication -- there are multiple -- to request a certificate for an FQDN that is not accessible from the Internet. Ergo it is possible to get a certificate that is signed by Let's Encrypt, a well known CA, which you can then install in your HMC. However, this will become labor intensive as you will need to do this roughly every 90 days. You could also play other games wherein you have an Internet accessible web server running a fully automated ACME client. Have it act as a proxy of sorts to provide a certificate and key for use on the HMC. -- Is this advisable, nope, not at all. Would it work, I think so. I'd bet a fast food meal that it would work. Aside: What is a "real CA" other than one that has their root certificate(s) installed in clients? }:-) -- Grant. . . . -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
On 8/29/23 12:13 PM, Tom Brennan wrote: I trust your certificate experience. But let's get back to the HMC issue for a second. So the only secure way to get rid of the Firefox warnings and red messages is to use an externally-signed certificate (paid for), and I think that means a manual process to update the HMC web cert/key every year. Or is there an easier way? Can you bust the HMC down to use unencrypted HTTP instead of encrypted HTTPS? -- It would get rid of the red bar. }:-) If you want encrypted HTTPS, you will need a certificate that the client you are using trusts. Where that certificate comes from is up to you / your organization. -- Grant. . . . -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
Sorry - not clear. What I meant was that in this case I ran openssl on Linux, not on Windows as Charles thought. What if I deleted the CA key file after creating the one web cert I needed? That would probably solve the security issue Charles mentioned, but then I would need a long-term web cert, maybe not possible anymore with the browser cap you mentioned. On 8/29/2023 12:08 PM, Grant Taylor wrote: On 8/29/23 12:07 PM, Tom Brennan wrote: All true I think, except it's openssl on Linux not Windows. OpenSSL is multi-platform and can run on Windows a myriad of ways, if not natively. Aside: The Enterprise CA can also be done with things other than OpenSSL. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
On 8/29/23 10:46 AM, Charles Mills wrote: Don't want to get into one of the peeing contests that have become all too common here. Neither do I. I do want to have a polite and professional discussion about what things are capable of. Hopefully I'll learn things from you -- I usually do. :-D Maybe, if I'm very lucky, I'll teach you something. :-) Let me just say that never mind any enterprise PKI CA constraints, I think Tom was talking about OpenSSL on a PC. Why elide what is a very germane safety component? That being restricting what a given CA is allowed to sign? OpenSSL stores private keys -- private keys -- in a pretty accessible format. OpenSSL /can/ store the private key in a file. OpenSSL /can/ /also/ depend something like a YubiKey to store the private key. If I can get into Tom's PC -- perhaps while he is at lunch, or with a clever phish -- and get that private key, then I can generate server certificates for any site in the world and Tom's associates will trust those certificates. Maybe, maybe not. It will depend if the private key is password protected or not. If there is a password, it won't be a walk up and sign without knowing the password. Not criticizing Tom or his processes here. Just pointing out to readers that there are some significant risks in general to the approach of "oh, I will just create an ad hoc CA and have my users trust it." I agree that there are risks. It's a question of which is more risky long term: 1) training users to click past certificate warnings 2) the potential for someone to abuse Tom's CA which is constrained to the enterprise domain name and has a hardware token (YubiKey)? It's all about the lesser of the evils. Trusting a CA is implicitly trusting everything that anyone does with its root private key. That's where a constrained CA / root key comes into play. Trusting the key to sign *. is very bad. Trusting the key to sign *.example.com, not so much so. Especially if example.com is a private internal domain not possible to use in the real world. Yes, it is no different in some ways than trusting DigiCert. The difference is that DigiCert has very rigorous protocols for protecting its root private keys. OpenSSL does not. It's possible for Tom, et al., to make reasonable approximations of what DigiCert, et al., are doing. If Tom's company wanted to, they can purchase a more professional Hardware Security Module (HSM) that can get quite close to what more professional entities do if they so choose. But using something like a YubiKey to hold the root key of for an enterprise CA constrained to the internal domain is probably reasonably safe. Especially if said YubiKey is used to sign an intermediate certificatte -- like the big kids do -- and storing said YubiKey disconnected, in a safe in between uses once a quarter. Especially if the system that does the signing is disconnected from the network. I think it's well within reason for individuals, and especially businesses to fairly safely have an (Enterprise) CA that is constrained to their organization. Grant. . . . -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
On 8/29/23 12:07 PM, Tom Brennan wrote: All true I think, except it's openssl on Linux not Windows. OpenSSL is multi-platform and can run on Windows a myriad of ways, if not natively. Aside: The Enterprise CA can also be done with things other than OpenSSL. -- Grant. . . . -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
>(paid for), and I think that means a manual process to update the HMC >web cert/key every year. Or is there an easier way? I don't know. I am more of a certificate theory expert than a z certificate practice expert. It is true that no commercial CA issues certificates good for much more than one year. (Their Web sites may talk about their two-year and five-year plans, but trust me, the certificates are only good for 13 months.) It does sound like a PITA. https://letsencrypt.org/ provides free automated "real CA" certificates. IIRC they only support requests made using the "ACME" automation protocol. Will the HMC support that? Charles On Tue, 29 Aug 2023 10:13:59 -0700, Tom Brennan wrote: >I trust your certificate experience. But let's get back to the HMC >issue for a second. So the only secure way to get rid of the Firefox >warnings and red messages is to use an externally-signed certificate >(paid for), and I think that means a manual process to update the HMC >web cert/key every year. Or is there an easier way? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
I trust your certificate experience. But let's get back to the HMC issue for a second. So the only secure way to get rid of the Firefox warnings and red messages is to use an externally-signed certificate (paid for), and I think that means a manual process to update the HMC web cert/key every year. Or is there an easier way? On 8/29/2023 9:23 AM, Charles Mills wrote: My sole point is that trusting an ad hoc CA operated on some individual's PC carries a significant risk. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
All true I think, except it's openssl on Linux not Windows. On 8/29/2023 8:46 AM, Charles Mills wrote: Don't want to get into one of the peeing contests that have become all too common here. Let me just say that never mind any enterprise PKI CA constraints, I think Tom was talking about OpenSSL on a PC. OpenSSL stores private keys -- private keys -- in a pretty accessible format. If I can get into Tom's PC -- perhaps while he is at lunch, or with a clever phish -- and get that private key, then I can generate server certificates for any site in the world and Tom's associates will trust those certificates. Not criticizing Tom or his processes here. Just pointing out to readers that there are some significant risks in general to the approach of "oh, I will just create an ad hoc CA and have my users trust it." Trusting a CA is implicitly trusting everything that anyone does with its root private key. Yes, it is no different in some ways than trusting DigiCert. The difference is that DigiCert has very rigorous protocols for protecting its root private keys. OpenSSL does not. Charles On Tue, 29 Aug 2023 09:23:16 -0500, Grant Taylor wrote: On 8/29/23 8:31 AM, Charles Mills wrote: Just being a security PITA here, but that solution makes the security of their systems subject to whatever safeguards you do or do not put on yours. Remember, Certificate Authorities can be constrained. E.g. it's possible to create an Enterprise Certificate Authority that can only sign things in the enterprise.example.net domain and nothing outside of it. Thereby significantly limiting exposure to things outside of the enterprise. If I can extract the CA private key from your PC than it is trivial for me to create a www.chase.com certificate that will be trusted by their browsers without any question, and mount a man-in-the-middle attack on their banking. I question the veracity of that statement. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
True! I don't think I've created self-signed web certs since before they started that capping trend. But there are other non-web certs I deal with, such as SKLM to TS7000/DS8000 communication. I'll still set those to a higher number than the expected life of the hardware. On 8/29/2023 8:24 AM, Grant Taylor wrote: On 8/29/23 10:07 AM, Tom Brennan wrote: And you can specify an expiration far in the future. Remember, some web browsers are capping the limit on the lifetime of certificates they will work with. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
"Private certificate"? Issued certificates are signed by the CA's root private key. The root certificate is just a convenient means of packaging the corresponding public key. Certificates don't sign things. Private keys sign things. If I have a CA's (any CA's: Tom Brennan's or DigiCert's) root private key, I can sign certificates and they are no different from any other certificate signed by that CA. That private key corresponds to the public key in their CA root certificate, and the digital signature will validate with no issue. Yes, you need the CA's public key to validate the signature, but CA public keys are widely (publicly!) available. True, you should not trust a purported CA certificate sent by e-mail. It could be a phony certificate with a public key that corresponded to a bad actor's private key. My sole point is that trusting an ad hoc CA operated on some individual's PC carries a significant risk. Charles On Tue, 29 Aug 2023 16:57:25 +0100, Colin Paice wrote: > I thought that signing a certificate meant the CA encrypted the checksum >of the certificate. For me to validate the certificate I need the CAs >public certificate to be able to decrypt the check sum, and compare it with >what I calculated. If I do not have the CA's public certificate I cannot >do this. You can take the CA's private certificate and create as many >certificates as you like - but as I do not have the public certificate, >they will not validate. >If you send me the CA's public certificate, I could validate what it >issued, but I would be worried that a bad actor had intercepted my mail >and substituted a different CA certificate.If your CA certificate has >been certified by the standard CA companies, then I can validate it and >quite happily use it. >So no, you cannot create certificates, sign them and make me believe they >came from a bona fida company - unless I do something stupid. >Colin > >On Tue, 29 Aug 2023 at 16:46, Charles Mills wrote: > >> Don't want to get into one of the peeing contests that have become all too >> common here. >> >> Let me just say that never mind any enterprise PKI CA constraints, I think >> Tom was talking about OpenSSL on a PC. OpenSSL stores private keys -- >> private keys -- in a pretty accessible format. If I can get into Tom's PC >> -- perhaps while he is at lunch, or with a clever phish -- and get that >> private key, then I can generate server certificates for any site in the >> world and Tom's associates will trust those certificates. >> >> Not criticizing Tom or his processes here. Just pointing out to readers >> that there are some significant risks in general to the approach of "oh, I >> will just create an ad hoc CA and have my users trust it." Trusting a CA is >> implicitly trusting everything that anyone does with its root private key. >> >> Yes, it is no different in some ways than trusting DigiCert. The >> difference is that DigiCert has very rigorous protocols for protecting its >> root private keys. OpenSSL does not. >> >> Charles >> >> On Tue, 29 Aug 2023 09:23:16 -0500, Grant Taylor < >> gtay...@tnetconsulting.net> wrote: >> >> >On 8/29/23 8:31 AM, Charles Mills wrote: >> >> Just being a security PITA here, but that solution makes the security >> >> of their systems subject to whatever safeguards you do or do not put >> >> on yours. >> > >> >Remember, Certificate Authorities can be constrained. E.g. it's >> >possible to create an Enterprise Certificate Authority that can only >> >sign things in the enterprise.example.net domain and nothing outside of >> >it. Thereby significantly limiting exposure to things outside of the >> >enterprise. >> > >> >> If I can extract the CA private key from your PC than it is trivial >> >> for me to create a www.chase.com certificate that will be trusted by >> >> their browsers without any question, and mount a man-in-the-middle >> >> attack on their banking. >> > >> >I question the veracity of that statement. >> >> -- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN >> > >-- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
I thought that signing a certificate meant the CA encrypted the checksum of the certificate. For me to validate the certificate I need the CAs public certificate to be able to decrypt the check sum, and compare it with what I calculated. If I do not have the CA's public certificate I cannot do this. You can take the CA's private certificate and create as many certificates as you like - but as I do not have the public certificate, they will not validate. If you send me the CA's public certificate, I could validate what it issued, but I would be worried that a bad actor had intercepted my mail and substituted a different CA certificate.If your CA certificate has been certified by the standard CA companies, then I can validate it and quite happily use it. So no, you cannot create certificates, sign them and make me believe they came from a bona fida company - unless I do something stupid. Colin On Tue, 29 Aug 2023 at 16:46, Charles Mills wrote: > Don't want to get into one of the peeing contests that have become all too > common here. > > Let me just say that never mind any enterprise PKI CA constraints, I think > Tom was talking about OpenSSL on a PC. OpenSSL stores private keys -- > private keys -- in a pretty accessible format. If I can get into Tom's PC > -- perhaps while he is at lunch, or with a clever phish -- and get that > private key, then I can generate server certificates for any site in the > world and Tom's associates will trust those certificates. > > Not criticizing Tom or his processes here. Just pointing out to readers > that there are some significant risks in general to the approach of "oh, I > will just create an ad hoc CA and have my users trust it." Trusting a CA is > implicitly trusting everything that anyone does with its root private key. > > Yes, it is no different in some ways than trusting DigiCert. The > difference is that DigiCert has very rigorous protocols for protecting its > root private keys. OpenSSL does not. > > Charles > > On Tue, 29 Aug 2023 09:23:16 -0500, Grant Taylor < > gtay...@tnetconsulting.net> wrote: > > >On 8/29/23 8:31 AM, Charles Mills wrote: > >> Just being a security PITA here, but that solution makes the security > >> of their systems subject to whatever safeguards you do or do not put > >> on yours. > > > >Remember, Certificate Authorities can be constrained. E.g. it's > >possible to create an Enterprise Certificate Authority that can only > >sign things in the enterprise.example.net domain and nothing outside of > >it. Thereby significantly limiting exposure to things outside of the > >enterprise. > > > >> If I can extract the CA private key from your PC than it is trivial > >> for me to create a www.chase.com certificate that will be trusted by > >> their browsers without any question, and mount a man-in-the-middle > >> attack on their banking. > > > >I question the veracity of that statement. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
Don't want to get into one of the peeing contests that have become all too common here. Let me just say that never mind any enterprise PKI CA constraints, I think Tom was talking about OpenSSL on a PC. OpenSSL stores private keys -- private keys -- in a pretty accessible format. If I can get into Tom's PC -- perhaps while he is at lunch, or with a clever phish -- and get that private key, then I can generate server certificates for any site in the world and Tom's associates will trust those certificates. Not criticizing Tom or his processes here. Just pointing out to readers that there are some significant risks in general to the approach of "oh, I will just create an ad hoc CA and have my users trust it." Trusting a CA is implicitly trusting everything that anyone does with its root private key. Yes, it is no different in some ways than trusting DigiCert. The difference is that DigiCert has very rigorous protocols for protecting its root private keys. OpenSSL does not. Charles On Tue, 29 Aug 2023 09:23:16 -0500, Grant Taylor wrote: >On 8/29/23 8:31 AM, Charles Mills wrote: >> Just being a security PITA here, but that solution makes the security >> of their systems subject to whatever safeguards you do or do not put >> on yours. > >Remember, Certificate Authorities can be constrained. E.g. it's >possible to create an Enterprise Certificate Authority that can only >sign things in the enterprise.example.net domain and nothing outside of >it. Thereby significantly limiting exposure to things outside of the >enterprise. > >> If I can extract the CA private key from your PC than it is trivial >> for me to create a www.chase.com certificate that will be trusted by >> their browsers without any question, and mount a man-in-the-middle >> attack on their banking. > >I question the veracity of that statement. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
On 8/29/23 10:07 AM, Tom Brennan wrote: And you can specify an expiration far in the future. Remember, some web browsers are capping the limit on the lifetime of certificates they will work with. -- Grant. . . . -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
Remember Charles, this kludge of making my own CA and signing my own web cert is in lieu of something probably worse for security, saying yes to the red warning messages in Chrome and Firefox. So in either case we're already open to a DNS spoof. The home-made cert is simply to make it easier on the users without spending any money. And you can specify an expiration far in the future. But just so y'all know, I stopped doing this in 2021 and now spend $96 a year at zerossl.com for web certs. For that I get three 1-year certs, and an unlimited number of 90-day certs. Far cheaper than buying individual certs via Godaddy, etc. Zerossl provides a pretty good set of API calls so the updates can be done automatically on the typical web server, but yeah, an HMC is not your typical web server so things would probably have to be done manually there. On 8/29/2023 6:31 AM, Charles Mills wrote: Just being a security PITA here, but that solution makes the security of their systems subject to whatever safeguards you do or do not put on yours. If I can extract the CA private key from your PC than it is trivial for me to create a www.chase.com certificate that will be trusted by their browsers without any question, and mount a man-in-the-middle attack on their banking. CM On Mon, 28 Aug 2023 16:23:55 -0700, Tom Brennan wrote: Does that work? In the past when I created a self-signed cert (for Apache on Linux), adding it to the trusted certs didn't work (at least in Chrome). I still got the evil warnings. I ended up creating my own CA, used that to sign the web cert, and then copied the CA to the trusted certs in Chrome. Then I gave out the CA to the folks I work with who needed to access the web page, and they did the same. That was easy and cheap for a small group of known users. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
On 8/29/23 8:31 AM, Charles Mills wrote: Just being a security PITA here, but that solution makes the security of their systems subject to whatever safeguards you do or do not put on yours. Remember, Certificate Authorities can be constrained. E.g. it's possible to create an Enterprise Certificate Authority that can only sign things in the enterprise.example.net domain and nothing outside of it. Thereby significantly limiting exposure to things outside of the enterprise. If I can extract the CA private key from your PC than it is trivial for me to create a www.chase.com certificate that will be trusted by their browsers without any question, and mount a man-in-the-middle attack on their banking. I question the veracity of that statement. I can't tell for sure if you are referring to extracting data (possibly the /public/ key) from communications in flight -or- speaking to the security of the CA and it's ecosystem by breaching the CA for it's signing key directly. There is little difference in breaching an Enterprise CA's signing key than there is in breaching Verisign's CA signing key. The effective difference is related to security around the key. The concept is the same. Just how many fences do you have to get through. Thankfully, this can be largely mitigated by leveraging things like a YoubiKey and / or a Trusted Platform Module on the CA system wherein the YoubiKey / TPM / etc. hold the actual signing certificate and the main OS connected to them doesn't have access to and can't get access to the signing key. This comes down to risk vs reward. One system that must be tightly secured, possibly operated at physical console, vs many people ignoring ~> defeating certificate security warnings on the regular. Which is the lesser of the evils / better security posture? If you are truly worried about the security of an Enterprise CA signing key, there are commercial solutions that can go a long way towards this. But this is small potatoes to training users to defeat certificate warnings. Grant. . . . -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
On 8/28/23 6:23 PM, Tom Brennan wrote: Does that work? In the past when I created a self-signed cert (for Apache on Linux), adding it to the trusted certs didn't work (at least in Chrome). I still got the evil warnings. I've been running into this with many self-signed certs at work. One of the primary problems is the use of a mixture of unqualified host names, qualified host names, and IP addresses. Often, self-signed certificates that equipment generate only use one of the forms of identification. They tend to not play well with a mixture of them. This is where the Subject Alternate Name field comes into play in the certificate. I ended up creating my own CA, used that to sign the web cert, and then copied the CA to the trusted certs in Chrome. Then I gave out the CA to the folks I work with who needed to access the web page, and they did the same. That was easy and cheap for a small group of known users. This is the route that I'm doing background research about the environment (I've been there a few months and don't know all the history) before standing up a CA explicitly for this reason. I want to do the following things: 1) Create an Enterprise Certificate Authority. (More comments about this in my forthcoming reply to Charles about trust.) 2) Create Certificate Signing Requests which use the following forms of identification: - IP address - Fully Qualified Domain Name (full host name) - Short host name (no dots) 3) Sign said CSRs to generate certificates 4) Install said certificates in equipment. Why am I planing on going this route? I have (at least) 33 devices currently using self-signed certificates with a single name exclusive or IP address that we interact with which on the near weekly basis. We are constantly dealing with should I use the FQDN, UQDN, or IP for this particular device type issues. We have multiple people on our team. We collectively use multiple jump servers. This culminates in a lot of maintenance for each self-signed certificate to be able to consume it. Even with that maintenance, the FQDN vs UQDN vs IP tends to cause problems. Ultimately we end up in what I think is a poor -- at best -- security posture that encourages, if not requires, that users push past security warnings from web browsers about untrusted certificates. I think we will end up in a much better security posture if we (I) take the time to stand up an Enterprise Certificate Authority and install it's root (or chained) public certificate on client systems. This should mean that we have much less maintenance to in that we only need to install the root public certificate on client systems and they will inherently trust what said ECA signs. No need to install many self-signed certificates. 1 vs 33 type thing. I also think the FQDN vs UQDN vs IP will help things considerably. -- Grant. . . . -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
Just being a security PITA here, but that solution makes the security of their systems subject to whatever safeguards you do or do not put on yours. If I can extract the CA private key from your PC than it is trivial for me to create a www.chase.com certificate that will be trusted by their browsers without any question, and mount a man-in-the-middle attack on their banking. CM On Mon, 28 Aug 2023 16:23:55 -0700, Tom Brennan wrote: >Does that work? In the past when I created a self-signed cert (for >Apache on Linux), adding it to the trusted certs didn't work (at least >in Chrome). I still got the evil warnings. I ended up creating my own >CA, used that to sign the web cert, and then copied the CA to the >trusted certs in Chrome. Then I gave out the CA to the folks I work >with who needed to access the web page, and they did the same. That was >easy and cheap for a small group of known users. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
Does that work? In the past when I created a self-signed cert (for Apache on Linux), adding it to the trusted certs didn't work (at least in Chrome). I still got the evil warnings. I ended up creating my own CA, used that to sign the web cert, and then copied the CA to the trusted certs in Chrome. Then I gave out the CA to the folks I work with who needed to access the web page, and they did the same. That was easy and cheap for a small group of known users. On 8/28/2023 3:38 PM, Peter Vels wrote: It's not about the port. You need to add the self-signed certificate to Firefox’s list of trusted certificates. On Tue, 29 Aug 2023 at 05:50, Radoslaw Skorupka < 0471ebeac275-dmarc-requ...@listserv.ua.edu> wrote: Disclaimer: I know it is much better idea to use "regular" certificate signed by CA instead of self-signed one. However I have to work on some HMC which use self-signed certificate. So far, so good. When I connect first time I get warning message on my Firefox browser. I accept the risk and further connections do not raise an alarm. However some new windows use HMC address and different port, like 99xx. Everytime a new port is used the warning is issued again and again. Question: is there any method to customize Firefox to accept the same certificate coming from same HMC address on *any port*? -- Radoslaw Skorupka Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Firefox and HMC self-signed cert
It's not about the port. You need to add the self-signed certificate to Firefox’s list of trusted certificates. On Tue, 29 Aug 2023 at 05:50, Radoslaw Skorupka < 0471ebeac275-dmarc-requ...@listserv.ua.edu> wrote: > Disclaimer: I know it is much better idea to use "regular" certificate > signed by CA instead of self-signed one. However I have to work on some > HMC which use self-signed certificate. > So far, so good. > When I connect first time I get warning message on my Firefox browser. I > accept the risk and further connections do not raise an alarm. > However some new windows use HMC address and different port, like 99xx. > Everytime a new port is used the warning is issued again and again. > > Question: is there any method to customize Firefox to accept the same > certificate coming from same HMC address on *any port*? > > > -- > Radoslaw Skorupka > Lodz, Poland > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
