Certificate error in the Mozilla Firefox browser

When logging into z/OSMF for the first time, you might notice that the Mozilla Firefox browser displays the error message: Secure Connection Failed.

If the error message indicates that the browser does not recognize the Certificate Authority (CA) certificate that is configured for z/OSMF, you can resolve the error by adding the certificate to the browser security exception list, or importing the certificate into the browser. For information, see the following sections:

If the error message indicates that the certificate contains the same serial number as another certificate issued by the CA, it is possible that your browser contains a CA certificate from a previous installation of z/OSMF. If so, you can remove the older certificate from the browser, as described in Removing the CA certificate from the browser. Then, try again to access z/OSMF and allow the new certificate to be stored in the browser.

Adding the CA certificate to the security exceptions list

You can allow your browser to bypass the Secure Connection Failed message for z/OSMF.

Do the following:
  1. On the error page, click Or you can add an exception.
  2. Click Add Exception. The Add Security Exception dialog is displayed.
  3. Click Get Certificate.
  4. Click View to display a window that describes the problem with your z/OSMF site.

    Examine the Issued To fields. Verify that the information identifies z/OSMF. The value for Common Name (CN) should match the host name for your installation of z/OSMF.

    Examine the Issued By fields. Verify that the certificate was issued by the certificate authority (CA) that was used to generate the server certificate. By default, z/OSMF uses the certificate authority zOSMFCA.

    To see the other fields of the certificate, select the details tab.

  5. After you have verified the certificate, close the dialog. If you leave the Permanently store this exception check box selected, Firefox stores the certificate information to prevent the error from being displayed again for the z/OSMF site.
  6. Click Confirm Security Exception to trust the z/OSMF site.

Your browser will now open to the z/OSMF interface.

Importing the CA certificate into the browser

You can import the CA certificate into your browser. Doing so involves exporting the z/OSMF certificate from RACF®, transferring the CA certificate to your workstation, and importing the CA certificate into your browser.

The CA certificate is determined by your configuration setting for the variable IZU_DEFAULT_CERTAUTH. If this variable is set to Y, z/OSMF creates the CA during the configuration process. Otherwise, no CA is created, and z/OSMF uses CERTAUTH LABEL('zOSMFCA') to sign the certificate. z/OSMF uses the SAF key ring name IZUKeyring.IZU_SAF_PROFILE_PREFIX.

To import the CA certificate into your browser, do the following:
  1. List the key rings for the z/OSMF server user ID, using the RACDCERT command, for example:
    RACDCERT ID(IZUSVR1) LISTRING(*)


    Figure 1 shows an example of the output from the RACDCERT command.
    Figure 1. Digital ring information for the z/OSMF server user ID
    Digital ring information for user IZUSVR1:                                    
                                                                             
  Ring:                                                                      
       >IZUKeyring.IZUDFLT<                                                  
  Certificate Label Name             Cert Owner     USAGE      DEFAULT       
  --------------------------------   ------------   --------   -------       
  zOSMFCA                            CERTAUTH       CERTAUTH     NO          
  Verisign Class 3 Primary CA        CERTAUTH       CERTAUTH     NO          
  Verisign Class 1 Primary CA        CERTAUTH       CERTAUTH     NO          
  Thawte Server CA                   CERTAUTH       CERTAUTH     NO          
  Thawte Premium Server CA           CERTAUTH       CERTAUTH     NO          
  Thawte Personal Basic CA           CERTAUTH       CERTAUTH     NO          
  Thawte Personal Freemail CA        CERTAUTH       CERTAUTH     NO          
  Thawte Personal Premium CA         CERTAUTH       CERTAUTH     NO

    Verify that the configured SAF key ring is shown for the z/OSMF server user ID. Note the key ring name and the certificate label (zOSMFCA, in this case).

  2. Export the CA certificate using the RACDCERT command, for example:
    RACDCERT EXPORT(LABEL(' zOSMFCA')) CERTAUTH
    DSN(‘??????.CERT.AUTH.DER')FORMAT(CERTDER)


  3. Transfer this file in binary format to your workstation. Keep the .der extension when you transfer the file.
  4. To import the certificate into the Firefox browser, do the following:
    1. From the Tools menu, click Options > Advanced tab.
    2. Click View Certificates.
    3. Select the Authorities tab.
    4. Click Import.
    5. From the Select File menu, navigate to the folder to which you transferred the CA certificate.
    6. Select the certificate file and click Open.
    7. In the dialog box, select the Trust this CA to identify web sites check box. You can also click View to examine the certificate.
    8. To import the certificate to your browser, click OK.

Your browser will now open to the z/OSMF interface.

Removing the CA certificate from the browser

You can remove an older CA certificate from the browser to allow the CA certificate for the new release of z/OSMF to be added.

Do the following:
  1. From the Tools menu, click Options > Advanced tab.
  2. Click the Encryption tab.
  3. Click View Certificates.
  4. Click the Servers tab.
  5. In the Certificate Name column, locate the z/OSMF CertAuth section.
  6. Select the certificate files under z/OSMF and click Delete.
  7. Click OK.

Try to access z/OSMF with your web browser. If prompted, allow the CA certificate to be stored in the browser. Your browser will now open to the z/OSMF user interface.