Where is my server's personal certificate?
KoelliMungee 060000GR25 Visits (3725)
Here is a common problem I see pretty often: You log on to the WebSphere z/OS administrative console and follow this breadcrumb trail to look at your personal certificate: (Assuming you know the targeted SSL configuration, I will provide details on how you can figure that out in the next few paragraphs).
SSL certificate and key management > SSL configurations > Node
But there are none! The list is empty. However, you know the keyring/userid for the controller is connected to a personal certificate through RACF or other SAF product. This indicates that there is a problem with the server's personal certificate and in order to proceed to use the server with global security ON, this has to be fixed. I wanted to share a checklist of things to go through to resolve this.
First of all, which ID/keyring pair are we talking about and how do we know it's the right one? In the case of an ND system, we need to look at the Deployment Manager Controller's user ID. In the case of a Base system we look at the Application Server Controller's user ID. Let us assume the user ID for the controller in question is ASCR1. In the case of a servant's personal certificate, you would consider the particular servant's user ID.
The next piece is the keyring name. The following screen shot verifies that "Nod
The next step would be to go look at the details for "Nod
We see the keyring name is WASKeyring.SY1.
Next, we can issue the RACF command to list the this keyring, to see which certificates the user ID/keyring is connected to.
So now we have proved that the keyring/user ID pair is connected to a personal certificate in RACF. However the fact that it is not viewable in the administrative console indicates that there is a problem with it. The most common problems I see are:
This is what a valid personal certificate would look like with a matching good CERTAUTH:
RACDCERT LIST (lab
RACDCERT CERTAUTH LIST
The fields in bold are what you should focus on to check out the points I mentioned above. If the dates are invalid, they need to be corrected. An indication that there is no private key in the certificate would be:
Private Key Type: None
You may need to contact your security administration team to correct the certificate, but once that is correctly done, you should be able to view the personal certificate in the console as expected. This should also fix your server's SSL communication issues.
I hope this provided some useful information for you, let me know if you have any comments, Thanks!