Topic
11 replies Latest Post - ‏2013-01-31T14:23:10Z by SystemAdmin
ThomasEsseling
ThomasEsseling
7 Posts
ACCEPTED ANSWER

Pinned topic Client Cert Problem

‏2012-09-25T07:13:43Z |
Hi,
we want to use Client Certificates to logon to the RDz z/OS daemon.
Our certs are stored on a smartcard and the smartcard folks provied us with the following parameters for the "Client Certificates" section:
Java Cryptography Extension (JCE) Provider IBMPKCS11Impl-xxxPKI
Keystore Type PKCS11IMPLKS
hostIdMappings Object Identifier (OID) 1.3.18.0.2.18.1
When we try to logon everything we get is a popup that says:
"set up your certificate"

It seems as that there is no connection attempt, so I think, that this is a client issue

What are we missing?
Is there any was to trace whats going on in the RDZ client?

We are using RDz 8.5.

Regards,
Thomas
Updated on 2013-01-31T14:23:10Z at 2013-01-31T14:23:10Z by SystemAdmin
  • JamesCarmichael
    JamesCarmichael
    7 Posts
    ACCEPTED ANSWER

    Re: Client Cert Problem

    ‏2012-09-25T17:37:22Z  in response to ThomasEsseling
    Hi Thomas,
    You will need to obtain the driver for the IBMPKCS11Impl-xxxPKI jce provider and update the RDz java security configuration to recognize that driver.

    Since I don't know the name of your specific driver, I have provided some generic instructions that may assist you in the configuration of your environment. Also, check with your smart card folks to see if they have documented how to configure your java environment on the client system to interact with the smartcard. Remember to restart RDz once you make the changes:

    ********************
    Copy the driver to the corresponding location in the IBM JDK folders that is shipped with RDz.

    The .jar file needs to go to the <RDz85InstalledImage>\jdk\jre\lib\ext directory where <RDz85InstalledImage> is the location where RDz 8.5 is installed
    The .dll file needs to go to the <RDz85InstalledImage>\jdk\jre\bin directory

    2) You also need to edit the file java.security in the <RDz85InstalledImage>\jdk\jre\lib\security directory. The section to modify looks like this

    #
    1. List of providers and their preference orders (see above):
    #
    security.provider.1=com.ibm.jsse.IBMJSSEProvider
    security.provider.2=com.ibm.jsse2.IBMJSSEProvider2
    security.provider.3=com.ibm.crypto.provider.IBMJCE
    security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
    security.provider.5=com.ibm.security.cert.IBMCertPath
    security.provider.6=com.ibm.security.sasl.IBMSASL
    security.provider.7=com.ibm.xml.crypto.IBMXMLCryptoProvider
    security.provider.8=com.ibm.xml.enc.IBMXMLEncProvider
    security.provider.9=org.apache.harmony.security.provider.PolicyProvider
    security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
    security.provider.11=sun.security.mscapi.SunMSCAPI
    security.provider.12=ch.keyon.security.provider.capi.CAPI
    ********************

    Thanks......James
  • ThomasEsseling
    ThomasEsseling
    7 Posts
    ACCEPTED ANSWER

    Re: Client Cert Problem

    ‏2012-09-26T05:11:16Z  in response to ThomasEsseling
    Hi James,
    thank you for your help.
    We configured all that stuff as the PKI folks said, at least I think so... :

    java.security:
    security.provider.9=sun.security.provider.Sun
    security.provider.10=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl C:\\Users\\exessel\\IBM\\SDP\\jdk\\jre\\lib\\security\\xxpki.cfg
    xxpki.cfg:
    name = xxPKI
    library = C:\Windows\System32\itp11.dll

    The PKI Card code gets called, we get a popoup from the PKI software asking for the Card-PIN and get the RDz popup "set up your card" afterwards.

    I also tried to trace the security api by adding "-Djava.security.auth.debug=all
    " to my eclipse.ini, but I found no output in either .log nor .trace.

    Maybe I will try to copy the dlls to the java bin dir instead of linking them by the property files.

    Regards,
    Thomas
    • ThomasEsseling
      ThomasEsseling
      7 Posts
      ACCEPTED ANSWER

      Re: Client Cert Problem

      ‏2012-09-26T05:24:54Z  in response to ThomasEsseling
      One more question,
      there are three Client Certs on the Card, how and when do we select which cert to use?
      Regards,
      Thomas
      • JamesCarmichael
        JamesCarmichael
        7 Posts
        ACCEPTED ANSWER

        Re: Client Cert Problem

        ‏2012-09-26T15:44:56Z  in response to ThomasEsseling
        Hi Thomas, the choice of which certificate to select is based on the host system that you will be connecting to. If you are unsure about which certificate to use, check with your system administrator.

        James
    • JamesCarmichael
      JamesCarmichael
      7 Posts
      ACCEPTED ANSWER

      Re: Client Cert Problem

      ‏2012-09-26T15:43:50Z  in response to ThomasEsseling
      Hey Thomas,
      There is a mismatch in the name of the cfg file (*xxpki*.cfg) and the JCE provider name specified in the Client Certificates preferences (Java Cryptography Extension (JCE) Provider IBMPKCS11Impl-*xxxPKI*). Try removing the extra "x" from the JCE provider in the Client Certificates preferences and restarting RDz to see if this makes a difference.

      Thanks......James
      • ThomasEsseling
        ThomasEsseling
        7 Posts
        ACCEPTED ANSWER

        Re: Client Cert Problem

        ‏2012-09-27T09:39:02Z  in response to JamesCarmichael
        Hallo James,
        sorry for that, I replaced xxx/xx for the customer name, in our real configuration both names match.

        As I said, the dll gets called, we get a popup from the card-software asking for the card-pin but then the only thing we see is this RDz popup "Setup your certificate"

        What does this popup mean? Does it mean, that RDz does not find a certificate or does it mean that our cert get rejectet by the z/OS-Server?

        Ist there any way to trace this situation?

        Regards,
        Thomas
        • EricHambright
          EricHambright
          5 Posts
          ACCEPTED ANSWER

          Re: Client Cert Problem

          ‏2012-09-27T14:20:21Z  in response to ThomasEsseling
          You have probably done this already but just to make sure. Click on Windows -> Preferences -> Client Certificates and make sure you have the Preferences for Client Certificate information entered here.
          • ThomasEsseling
            ThomasEsseling
            7 Posts
            ACCEPTED ANSWER

            Re: Client Cert Problem

            ‏2012-09-27T15:09:59Z  in response to EricHambright
            Hi Eric,
            as goog as we could:

            "Client Certificates" section:
            Java Cryptography Extension (JCE) Provider IBMPKCS11Impl-xxxPKI
            Keystore Type PKCS11IMPLKS
            hostIdMappings Object Identifier (OID) 1.3.18.0.2.18.1

            Regards,
            Thomas
            • EricHambright
              EricHambright
              5 Posts
              ACCEPTED ANSWER

              Re: Client Cert Problem

              ‏2012-10-23T18:34:50Z  in response to ThomasEsseling
              Sorry for the late response but have you tried copying the DLL's from the card provider to IBM\SDP\jdk\jre\bin directory and the .jar to \IBM\SDP\jdk\jre\lib\ext directory?
              • ThomasEsseling
                ThomasEsseling
                7 Posts
                ACCEPTED ANSWER

                Re: Client Cert Problem

                ‏2012-11-14T08:20:43Z  in response to EricHambright
                Hi,
                seems to be a server-side problem, we have an open PMR for this.
                Regards,
                Thomas
    • SystemAdmin
      SystemAdmin
      1086 Posts
      ACCEPTED ANSWER

      Re: Client Cert Problem

      ‏2013-01-31T14:23:10Z  in response to ThomasEsseling
      This is how you do a trace in RDZ

      http://www-01.ibm.com/support/docview.wss?uid=swg21327307