Topic
4 replies Latest Post - ‏2014-05-09T13:11:09Z by LarryU
DenisYip
DenisYip
14 Posts
ACCEPTED ANSWER

Pinned topic SSL Connection in RDz Host Emulator

‏2013-06-28T03:59:52Z |

Hello, we are using RDz client v8.5.1.2 and need to configure the SSL connection in Host Emulator.

The SSL connection works fine for using PCOMM.   Host Emulator also works fine for using non-SSL connection.

We follow the below instruction to extract the arm file from PCOMM, then generate the .p12 in ikeyman, then import to RDz host Emulator.

http://pic.dhe.ibm.com/infocenter/ratdevz/v8r5/index.jsp?topic=%2Fcom.ibm.etools.host.integration.doc%2Ftopics%2Fikeyman.html

The problem now is that sometimes it can connect, but sometimes it fail.  I cannot identify the pattern (when it will success, when it will fail) and not able to know where the problem could be.

Anyone has similar expeirence and know where should be the troubleshooting area?

 

  • JamesCarmichael
    JamesCarmichael
    7 Posts
    ACCEPTED ANSWER

    Re: SSL Connection in RDz Host Emulator

    ‏2013-07-15T14:57:45Z  in response to DenisYip

    Hi Denis,

    From a client perspective, try the following to get more detailed information about the failure:

    1) From a command prompt, go to the RDz installation directory.

    2) Start RDz using the the following command:  "eclipsec -debug -verbose"

    3) In your console window, you should see detailed messages when you try to connect using the Host Connect Emulator.  The messages will look something like this:

    "HODSSLContext():Error with WellKnownTrustedCAs. Could not create a SSLPKCS12Token.com.ibm.hod5sslight.SSLRuntimeException: reason=2
    (Wrong format)
    load error for path Y:\RDz\zserveros.p12, com.ibm.hod5sslight.SSLRuntimeException: reason=3 (Wrong signature)
    ECLErr@com.ibm.eNetwork.security.ssl.HODSSLTokenImpl:getToken():2:sev=3:ECL0032: Server  requested a client certificate.

    Those error messages will assist in identifying the problem.

     

    James

    Updated on 2013-07-15T15:03:18Z at 2013-07-15T15:03:18Z by JamesCarmichael
    • DenisYip
      DenisYip
      14 Posts
      ACCEPTED ANSWER

      Re: SSL Connection in RDz Host Emulator

      ‏2013-07-17T06:33:00Z  in response to JamesCarmichael

      Hello thanks for the advise!

      I tried to start my RDz by eclipsec -debug -verbose, I can have a command windows prompted up and the environment variables are displayed.  But after that I not able to see any more debug message after I entered by RDz IDE.   I use Windows 7 32-bit and what has been missing? 

      • JamesCarmichael
        JamesCarmichael
        7 Posts
        ACCEPTED ANSWER

        Re: SSL Connection in RDz Host Emulator

        ‏2013-07-17T12:48:55Z  in response to DenisYip

        Hi Denis,

        When you tried to start your SSL connection in the RDz Host Emulator, was it successful or did it fail?  If it failed, you should see the error message in the console.

         

        James

  • LarryU
    LarryU
    7 Posts
    ACCEPTED ANSWER

    Re: SSL Connection in RDz Host Emulator

    ‏2014-05-09T13:11:09Z  in response to DenisYip

    I am having same problem trying to use SSL in Host Connection Emulator.  To get the debug messages, I also had to change:

    -vm
    jdk/jre/bin/javaw.exe  ===>  jdk/jre/bin/java.exe

    My debug window keeps telling me Unknown Source errors because mscapi.dll cannot be found on Windows 7.  Anybody know how to install mscapi.dll on Windows 7?

    I have another product (Rocket BlueZone TN3270) which uses the mscapi interface just fine, so I am not sure why RDz cannot also use it.

    I managed to get around that error by unchecking the "Use MS-CAPI" option, but now I'm getting an error on server authentication.  I need to define my host CA root certs to RDz, but the RDz "CA Certificate FIle" seems to only allow .PFX or .P12 format, whereas normally a CACERTS type file is done in .PEM/CER format.

    But I managed to get the SSL Emulation working by creating a host server certificate file in pkcs12 format (.p12) and using that file for server authentication.  But I think there would be less configuration for users if the Windows mscapi interface would be workable.   Giving users access to your host server .p12 certificate which would include the private key and passphrase would be considered a security vulnerability.  So I suppose a new .pfx file needs to be created from the server pkcs12 cert like so:

    openssl pkcs12 -export -out mvs.newcert.pfx -inkey mvs.oldcert.key -in mvs.oldcert.pem -nokeys -passin pass:oldpwd -passout pass:newpwd 

    This new .pfx file will not have the server private key and will have a different passphrase than the server private passphrase, so it should not be a security issue.

    Updated on 2014-05-13T12:54:07Z at 2014-05-13T12:54:07Z by LarryU