Certificate error in the Mozilla Firefox browser
When logging into z/OSMF for
the first time, you might notice that the Mozilla Firefox browser
displays the error message: Secure Connection Failed
.
If the error message indicates that the certificate contains the same serial number as another certificate issued by the CA, it is possible that your browser contains a CA certificate from a previous installation of z/OSMF. If so, you can remove the older certificate from the browser, as described in Removing the CA certificate from the browser. Then, try again to access z/OSMF and allow the new certificate to be stored in the browser.
Adding the CA certificate to the security exceptions list
You can allow your browser to bypass the Secure Connection Failed message for z/OSMF.
- On the error page, click Or you can add an exception.
- Click Add Exception. The Add Security Exception dialog is displayed.
- Click Get Certificate.
- Click View to display a window that describes
the problem with your z/OSMF site.
Examine the Issued To fields. Verify that the information identifies z/OSMF. The value for Common Name (CN) should match the host name for your installation of z/OSMF.
Examine the Issued By fields. Verify that the certificate was issued by the certificate authority (CA) that was used to generate the server certificate. By default, z/OSMF uses the certificate authority zOSMFCA.
To see the other fields of the certificate, select the details tab.
- After you have verified the certificate, close the dialog. If you leave the Permanently store this exception check box selected, Firefox stores the certificate information to prevent the error from being displayed again for the z/OSMF site.
- Click Confirm Security Exception to trust the z/OSMF site.
Your browser will now open to the z/OSMF interface.
Importing the CA certificate into the browser
You can import the CA certificate into your browser. Doing so involves exporting the z/OSMF certificate from RACF®, transferring the CA certificate to your workstation, and importing the CA certificate into your browser.
The
CA certificate is determined by your configuration setting for the
variable IZU_DEFAULT_CERTAUTH. If this variable is set to Y, z/OSMF creates the
CA during the configuration process. Otherwise, no CA is created,
and z/OSMF uses
CERTAUTH LABEL('zOSMFCA') to sign the certificate. z/OSMF uses the SAF
key ring name IZUKeyring.IZU_SAF_PROFILE_PREFIX
.
- List the key rings for the z/OSMF server user
ID, using the RACDCERT command, for example:
RACDCERT ID(IZUSVR1) LISTRING(*)
Figure 1 shows an example of the output from the RACDCERT command.Verify that the configured SAF key ring is shown for the z/OSMF server user ID. Note the key ring name and the certificate label (zOSMFCA, in this case).
- Export the CA certificate using the RACDCERT command, for example:
RACDCERT EXPORT(LABEL(' zOSMFCA')) CERTAUTH
DSN(‘??????.CERT.AUTH.DER')FORMAT(CERTDER)
- Transfer this file in binary format to your workstation. Keep
the
.der
extension when you transfer the file. - To import the certificate into the Firefox browser, do the following:
- From the Tools menu, click tab.
- Click View Certificates.
- Select the Authorities tab.
- Click Import.
- From the Select File menu, navigate to the folder to which you transferred the CA certificate.
- Select the certificate file and click Open.
- In the dialog box, select the Trust this CA to identify web sites check box. You can also click View to examine the certificate.
- To import the certificate to your browser, click OK.
Your browser will now open to the z/OSMF interface.
Removing the CA certificate from the browser
You can remove an older CA certificate from the browser to allow the CA certificate for the new release of z/OSMF to be added.
- From the Tools menu, click tab.
- Click the Encryption tab.
- Click View Certificates.
- Click the Servers tab.
- In the Certificate Name column, locate the z/OSMF CertAuth section.
- Select the certificate files under z/OSMF and click Delete.
- Click OK.
Try to access z/OSMF with your web browser. If prompted, allow the CA certificate to be stored in the browser. Your browser will now open to the z/OSMF user interface.