Topic
  • 6 replies
  • Latest Post - ‏2014-03-31T13:46:55Z by LarryU
LarryU
LarryU
12 Posts

Pinned topic RDz Client authentication with certificate

‏2014-02-20T21:30:01Z |

Have RDz 9.0.1.2 client connection running in SSL SECURE mode, after applying z/OS PTF UI14892.  Attempting to get a connection using a client certificate but only get a popup window titled "Set up your Certificate" with OK and Cancel options.  Selecting OK gives same popup window.  I am using "Client Certificate" options IBMJSSEProvider2, PKCS12, and 1.3.18.0.2.18.1 and "Explorer Certificate management" with a java jks trust store containing the host certificate and a pkcs12 keystore containing the client certificate and key,  and I have also added those certificate alias's to "Remote Systems SSL" menu option.   Am I missing something? Any hints on getting some sort of client debug trace? I tried turning java debug on using the eclipse.ini file and also using -debug  2>&1 on the shortcut, but can't seem to locate any debugging file(s) being created. A small window pops up with my eclipse.ini java options listed. I am using the default java which gets loaded into \Program Files\IBM\SDP\jdk\jre.  A wireshark trace shows nothing being sent in to z/OS.

I am seeing this in a .metadata/.plugins/org.eclipse.ui.workbench/.log file:

!ENTRY com.ibm.etools.zunit.ui 1 0 2014-02-21 08:37:56.764
!MESSAGE com.ibm.etools.zunit.ui.ZUnitMVSFileMappings.updateMVSFileSubsystems(): No hosts found in RSE registry.

Updated on 2014-02-21T14:47:47Z at 2014-02-21T14:47:47Z by LarryU
  • JamesCarmichael
    JamesCarmichael
    7 Posts

    Re: RDz Client authentication with certificate

    ‏2014-02-25T16:38:55Z  

    RDz does not use the "Explorer Certificate management" to locate the pkcs12 keystore containing the client certificate and key.  If the client certificate is located in a pkcs12 file on a file system that is accessible from RDz, then you can update the eclipse.ini file located in your offering installation directory to achieve the results that you desire.   Add the following entries in the eclipse.ini file and restart the workbench.

    The following is an example. You will need to change the location and password to be specific to your installation.

    -DrdzKeyStoreLocation=C:\kesytorelocation
    -DrdzKeyStorePassword=keystorepassword

     

  • LarryU
    LarryU
    12 Posts

    Re: RDz Client authentication with certificate

    ‏2014-02-25T16:59:29Z  

    RDz does not use the "Explorer Certificate management" to locate the pkcs12 keystore containing the client certificate and key.  If the client certificate is located in a pkcs12 file on a file system that is accessible from RDz, then you can update the eclipse.ini file located in your offering installation directory to achieve the results that you desire.   Add the following entries in the eclipse.ini file and restart the workbench.

    The following is an example. You will need to change the location and password to be specific to your installation.

    -DrdzKeyStoreLocation=C:\kesytorelocation
    -DrdzKeyStorePassword=keystorepassword

     

    Ok, thanks.  But those would not be standard java parameters.  Are you sure they aren't:

     
    -Djavax.net.ssl.keyStore 
    -Djavax.net.ssl.keyStoreType 
    -Djavax.net.ssl.keyStorePassword 
    -Djavax.net.ssl.trustStore 
    -Djavax.net.ssl.trustStoreType 
    -Djavax.net.ssl.trustStorePassword 

     

  • JamesCarmichael
    JamesCarmichael
    7 Posts

    Re: RDz Client authentication with certificate

    ‏2014-02-25T17:02:27Z  
    • LarryU
    • ‏2014-02-25T16:59:29Z

    Ok, thanks.  But those would not be standard java parameters.  Are you sure they aren't:

     
    -Djavax.net.ssl.keyStore 
    -Djavax.net.ssl.keyStoreType 
    -Djavax.net.ssl.keyStorePassword 
    -Djavax.net.ssl.trustStore 
    -Djavax.net.ssl.trustStoreType 
    -Djavax.net.ssl.trustStorePassword 

     

    Yes, I recognize that they are not the standard java parameters.  They are specific to the RDz client.

  • LarryU
    LarryU
    12 Posts

    Re: RDz Client authentication with certificate

    ‏2014-02-27T14:56:33Z  

    Ok, I am past the popup window error.  With a couple more RACF changes, it might be good.  Even though the RDz manual states

    "There are multiple ways to do certificate authentication for a user..."  it appears the only one way to get the RDz client certificate working is using the HostIDMappings extension. 

    And that method doesn't appear to be documented anywhere.  After a little trial and error this openssl config seems to do it:

    [ v3_req ]
    basicConstraints                = CA:false
    keyUsage                        = digitalSignature, keyEncipherment, dataEncipherment
    extendedKeyUsage                = serverAuth, clientAuth
    1.3.18.0.2.18.1                 = ASN1:SEQUENCE:user_sect
    #
    #
    [user_sect]
    HostIDMapping.1                 = UTF8:USERID1@host1.domain

    HostIDMapping.2                 = UTF8:USERID2@host2.domain
    HostIDMapping.3                 = UTF8:USERID3@host3.domain
    HostIDMapping.4                 = UTF8:USERID4@host4.domain

     

    Updated on 2014-02-27T18:08:20Z at 2014-02-27T18:08:20Z by LarryU
  • LarryU
    LarryU
    12 Posts

    Re: RDz Client authentication with certificate

    ‏2014-02-28T13:31:01Z  

    James:  The SSL handshake is now taking place. But the gsktrace shows the server is not requesting a client certificate to be sent.  Normally a parameter is set somewhere on the server config to specify that a client certificate will be used.  Do you know what parameter RDz would need?  I have the enable.certificate.mapping=false parameter set.  Maybe something like _RSE_JAVAOPTS="$_RSE_JAVAOPTS -Dcom.ibm.ssl.clientAuthentication=true" ?

  • LarryU
    LarryU
    12 Posts

    Re: RDz Client authentication with certificate

    ‏2014-03-31T13:46:55Z  

    James:  Thanks for joining our conference call.  The changes given by IBM to make the RDz client certificate work were to set JCE Provider to IBMJCE and blank out the hostIdMappings OID parameter.  I am using the PKCS12 keystore type.   I also had an error in the openssl config I previously posted.  A correct sample openssl config segment is listed below.  This sample includes 2 hostIdMappings, but I have tested with up to 6.

    1.3.18.0.2.18.1                 = ASN1:SET:user_set 

    # 

    [ user_set ] 
    HostIdMappings1.1               = SEQUENCE:HostIdMapping1 
    HostIdMappings1.2               = SEQUENCE:HostIdMapping2 
    [ HostIdMapping1 ] 
    hostName1                       = IMPLICIT:1,IA5STRING:ZOS2RDZ.DOMAIN.NET 
    subjectId1                        = IMPLICIT:2,IA5STRING:USERID1 
    [ HostIdMapping2 ] 
    hostName2                       = IMPLICIT:1,IA5STRING:ZOS2XYZ.DOMAIN.NET 
    subjectId2                      = IMPLICIT:2,IA5STRING:USERID2 

    There seems to be one minor bug in the RDz processing of the certificate hostIdMappings.  RDz seems to only use the 1st mapping in the set.