On 9/2/23 11:41 AM, Peter Sylvester wrote:
Hi,
Hi,
I do not really know what I am trying to explain, but anyway.
I've found that sharing what I understand something to be beneficial for
multiple reasons:
1) articulating it often helps clarify what I'm trying to articulate
2) it gives
W dniu 02.09.2023 o 18:41, Peter Sylvester pisze:
Hi,
I do not really know what I am trying to explain, but anyway.
Ibm has made a kind of minimal security approach to access an HMCusing
https, i.e. a self signed cert.
Ibm also documents how one can change this,i.e. generate a key pair,,
a
Hi,
I do not really know what I am trying to explain, but anyway.
Ibm has made a kind of minimal security approach to access an HMCusing https,
i.e. a self signed cert.
Ibm also documents how one can change this,i.e. generate a key pair,, a csr, get certified by "some"
CA, then upload the
Unfortunately SE "single object operations" is not the only case when
port 99xx is being used.
I can't check it now, but I'm pretty sure there are more features using
new window and new port.
Sometimes the port is reused, so every new warning reduces the
possibility of next one.
--
Radoslaw
In my limited experience I logon to the HMC port 443 as usual, but then
a switch to single-object-operations redirects me to the same URL but
with :995x appended. Can I assume this switch happens when you go to
SOO or perhaps do something else requiring the SE?
Wild guessing: If the OS on
W dniu 29.08.2023 o 21:34, Grant Taylor pisze:
On 8/29/23 12:13 PM, Tom Brennan wrote:
I trust your certificate experience. But let's get back to the HMC
issue for a second. So the only secure way to get rid of the Firefox
warnings and red messages is to use an externally-signed certificate
Unfortunately no. It *is* matter of ports.
I add the self-signed certificate whenever I connects first time
(meaning well known appliances).
And further connects work without warning.
And of course the certificate is on the list of server certificates.
However there are many entries for same IP
On 8/30/23 12:42 AM, Tom Brennan wrote:
I've been told by IBMer's not to talk about such things, so I need to
drop out now.
Chuckle.
Fair enough.
I'm just talking about a special purpose Linux box from a vendor to run
a vendor application. ;-)
I hoist my coffee to you.
Have a good day.
On 8/29/23 9:49 PM, Tom Brennan wrote:
Just to be clear, I'm not talking about doing anything to the HMC that
isn't sanctioned by IBM.
I assumed as much.
And pardon me if you already know this, but HMC's are really locked
down.
Well ... IBM took a reasonable pass at making the older HMCs
I've been told by IBMer's not to talk about such things, so I need to
drop out now.
On 8/29/2023 10:05 PM, Grant Taylor wrote:
On 8/29/23 9:49 PM, Tom Brennan wrote:
Just to be clear, I'm not talking about doing anything to the HMC that
isn't sanctioned by IBM.
I assumed as much.
And
Just to be clear, I'm not talking about doing anything to the HMC that
isn't sanctioned by IBM. And pardon me if you already know this, but
HMC's are really locked down. For example, no command line access even
when standing at the machine.
On 8/29/2023 6:30 PM, Grant Taylor wrote:
On
On 8/29/23 6:39 PM, Tom Brennan wrote:
It's those last couple of steps that I assume would need to be done
manually on an HMC via GUI.
I have no idea if IBM offers a supported solution or not.
I would waver that there are some unsupported solutions that IBM would
wag a finger at you for
I looked at letsencrypt and zerossl and decided on zero because I liked
the support, the 1 year certs, and their API. The API supports ACME but
hey, I call myself a programmer so I rolled my own. I use their email
authentication through an automated method I created, but they do have
DNS
On 8/29/23 3:38 PM, Charles Mills wrote:
Not true for a CA root.
Thought experiment: if DigiCert were to misplace their root private
key, would you now be unable to log into amazon.com? (There would be
very disruptive long-term implications, but things would continue to
work in the medium
> The certificate is only good if you have the associated key.
> If you don't have the key, the certificate isn't worth the disk space
> that it takes up.
Not true for a CA root.
Thought experiment: if DigiCert were to misplace their root private key, would
you now be unable to log into
On 8/29/23 2:32 PM, Tom Brennan wrote:
Sorry - not clear. What I meant was that in this case I ran openssl on
Linux, not on Windows as Charles thought.
Fair enough.
What if I deleted the CA key file after creating the one web cert I
needed? That would probably solve the security issue
On 8/29/23 12:58 PM, Charles Mills wrote:
https://letsencrypt.org/ provides free automated "real CA"
certificates. IIRC they only support requests made using the "ACME"
automation protocol. Will the HMC support that?
Let's Encrypt supports multiple authentication methods. One of which is
On 8/29/23 12:13 PM, Tom Brennan wrote:
I trust your certificate experience. But let's get back to the HMC
issue for a second. So the only secure way to get rid of the Firefox
warnings and red messages is to use an externally-signed certificate
(paid for), and I think that means a manual
Sorry - not clear. What I meant was that in this case I ran openssl on
Linux, not on Windows as Charles thought.
What if I deleted the CA key file after creating the one web cert I
needed? That would probably solve the security issue Charles mentioned,
but then I would need a long-term web
On 8/29/23 10:46 AM, Charles Mills wrote:
Don't want to get into one of the peeing contests that have become
all too common here.
Neither do I.
I do want to have a polite and professional discussion about what things
are capable of.
Hopefully I'll learn things from you -- I usually do.
On 8/29/23 12:07 PM, Tom Brennan wrote:
All true I think, except it's openssl on Linux not Windows.
OpenSSL is multi-platform and can run on Windows a myriad of ways, if
not natively.
Aside: The Enterprise CA can also be done with things other than OpenSSL.
--
Grant. . . .
>(paid for), and I think that means a manual process to update the HMC
>web cert/key every year. Or is there an easier way?
I don't know. I am more of a certificate theory expert than a z certificate
practice expert.
It is true that no commercial CA issues certificates good for much more than
I trust your certificate experience. But let's get back to the HMC
issue for a second. So the only secure way to get rid of the Firefox
warnings and red messages is to use an externally-signed certificate
(paid for), and I think that means a manual process to update the HMC
web cert/key
All true I think, except it's openssl on Linux not Windows.
On 8/29/2023 8:46 AM, Charles Mills wrote:
Don't want to get into one of the peeing contests that have become all too
common here.
Let me just say that never mind any enterprise PKI CA constraints, I think Tom
was talking about
True! I don't think I've created self-signed web certs since before
they started that capping trend. But there are other non-web certs I
deal with, such as SKLM to TS7000/DS8000 communication. I'll still set
those to a higher number than the expected life of the hardware.
On 8/29/2023 8:24
"Private certificate"?
Issued certificates are signed by the CA's root private key. The root
certificate is just a convenient means of packaging the corresponding public
key. Certificates don't sign things. Private keys sign things.
If I have a CA's (any CA's: Tom Brennan's or DigiCert's) root
I thought that signing a certificate meant the CA encrypted the checksum
of the certificate. For me to validate the certificate I need the CAs
public certificate to be able to decrypt the check sum, and compare it with
what I calculated. If I do not have the CA's public certificate I cannot
do
Don't want to get into one of the peeing contests that have become all too
common here.
Let me just say that never mind any enterprise PKI CA constraints, I think Tom
was talking about OpenSSL on a PC. OpenSSL stores private keys -- private keys
-- in a pretty accessible format. If I can get
On 8/29/23 10:07 AM, Tom Brennan wrote:
And you can specify an expiration far in the future.
Remember, some web browsers are capping the limit on the lifetime of
certificates they will work with.
--
Grant. . . .
--
For
Remember Charles, this kludge of making my own CA and signing my own web
cert is in lieu of something probably worse for security, saying yes to
the red warning messages in Chrome and Firefox. So in either case we're
already open to a DNS spoof. The home-made cert is simply to make it
easier
On 8/29/23 8:31 AM, Charles Mills wrote:
Just being a security PITA here, but that solution makes the security
of their systems subject to whatever safeguards you do or do not put
on yours.
Remember, Certificate Authorities can be constrained. E.g. it's
possible to create an Enterprise
On 8/28/23 6:23 PM, Tom Brennan wrote:
Does that work? In the past when I created a self-signed cert (for
Apache on Linux), adding it to the trusted certs didn't work (at least
in Chrome). I still got the evil warnings.
I've been running into this with many self-signed certs at work.
One
Just being a security PITA here, but that solution makes the security of their
systems subject to whatever safeguards you do or do not put on yours.
If I can extract the CA private key from your PC than it is trivial for me to
create a www.chase.com certificate that will be trusted by their
Does that work? In the past when I created a self-signed cert (for
Apache on Linux), adding it to the trusted certs didn't work (at least
in Chrome). I still got the evil warnings. I ended up creating my own
CA, used that to sign the web cert, and then copied the CA to the
trusted certs in
It's not about the port. You need to add the self-signed certificate to
Firefox’s list of trusted certificates.
On Tue, 29 Aug 2023 at 05:50, Radoslaw Skorupka <
0471ebeac275-dmarc-requ...@listserv.ua.edu> wrote:
> Disclaimer: I know it is much better idea to use "regular" certificate
>
35 matches
Mail list logo