IBM Support

OA62152: PKI SERVICES BOOK UPDATES FOR MOZILLA <KEYGEN> TAG REMOVAL

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as documentation error.

Error description

  • Removal of the KEYGEN tag support from some Mozilla based
    browsers affects PKI Services browser certificate support.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * z/OS PKI Services users who use Mozilla-based browser to     *
    * request browser certificate using the browser templates      *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * Mozilla-based browser, eg, FireFox, has removed the KEYGEN   *
    * HTML tag support which z/OS PKI Services uses to generate    *
    * the key pair for the request when the user chooses any of    *
    * the                                                          *
    * following browser type templates:                            *
    * 1-Year PKI SSL Browser Certificate                           *
    * 1-Year PKI S/MIME Browser Certificate                        *
    * 2-Year PKI Browser Certificate For Authenticating To z/OS    *
    * n-Year PKI Certificate for Extensions Demonstration          *
    * 1-Year SAF Browser Certificate                               *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    

Problem conclusion

  • The z/OS PKI Services Guide and Reference (SA23-2286-00)
    book is updated as follows:
    
    Planning
    - Introducing PKI Services
     - Supported standards
    
       Update the Mozilla-based browsers description under
       'Browser certificate for' as follows:
    
       - Mozilla-based browsers such as Mozilla Firefox which
         support the KEYGEN HTML tag. Note that the KEYGEN HTML tag
         has been deprecated in some Mozilla-based browsers. You
         can not request browser certificate from such browsers.
    
    Planning
    - Introducing PKI Services
      - Supported certificate types
    
        Add a note before Table 2 "Types of certificate you can
        request" as follows:
    
        Note: Browser certificates rely on either the KEYGEN HTML
        tag of Mozilla-based browsers or the ActiveX cryptographic
        service providers of the Microsoft Internet Explorer browser
        to generate key pairs. If you use a Mozilla-based browser
        which does not support the KEYGEN HTML tag, or you use a
        Microsoft browser that does not support ActiveX, you can
        not request browser certificates using the templates
        containing the name 'browser'. You may use the
        'One-year PKI generated key certificate' template instead.
    
    Customizing PKI Services
    - Customizing the end user web application if you use
      REXX CGI execs
     - Contents of the pkiserv.tmpl certifcates templates file
      - What are substitution variables
       - Update Table 30 "Substitution variables", add a note for
         "browsertype" substitution variable as follows:
    
         (Note: The KEYGEN HTML tag has been deprecated in some
          Mozilla-based browsers. INSERT PublicKeyNS will not work
          on those browsers. Therefore no input field for the key
          size would be displayed on the request page.)
    
    Customizing PKI Services
    - Customizing the end user web application if you use
      REXX CGI execs
     - Contents of the pkiserv.tmpl certifcates templates file
      - INSERT sections
       - Named fields in INSERT sections
        - Update Table 32 "Name Fields in INSERT sections"
          description for "PublicKeyNS" in parentheses as follows:
    
          (This field is for Mozilla-based browsers which support
           the KEYGEN HTML tag only.)
    
          and add a note to the description for "PublicKeyNS" as
          follows:
    
          (Note: The KEYGEN HTML tag has been deprecated in some
          Mozilla-based browsers. INSERT PublicKeyNS will not work
          on those browsers. Therefore no input field for the key
          size would be displayed on the request page.)
    
        - Update Table 32 "Name Fields in INSERT sections"
          description for "PublicKey2NS" in parentheses as follows:
    
          (This field is for Mozilla-based browsers which support
           the KEYGEN HTML tag only.)
    
          and add a note to the description for "PublicKey2NS" as
          follows:
    
          (Note: The KEYGEN HTML tag has been deprecated in some
          Mozilla-based browsers. INSERT PublicKeyNS will not work
          on those browsers. Therefore no input field for the key
          size would be displayed on the request page.)
    
    Customizing PKI Services
    - Customizing the end user web application if you use
      REXX CGI execs
     - Contents of the pkiserv.tmpl certifcates templates file
      - Templates that PKI Services provides
       - Add the following note before Table 35
         "Certificate templates PKI Services provides":
    
         Note: Browser certificates rely on either the KEYGEN HTML
         tag of Mozilla-based browsers or the ActiveX cryptographic
         service providers of the Microsoft Internet Explorer
    browser
         to generate key pairs. If you use a Mozilla-based browser
         which does not support the KEYGEN HTML tag, or you use a
         Microsoft browser that does not support ActiveX, you can
         not request browser certificates using the templates
         containing the name 'browser'. You may use the
         'One-year PKI generated key certificate' template instead.
    
    Customizing PKI Services
    - Customizing the end user web application if you use
      REXX CGI execs
     - Relationship between CGIs and the pkiserv.tmpl file
      - Table 41 "CGI actions for end-user web pages"
       - update the description for "cagetcert.rexx" for
         Mozilla-based browsers in the third bullet as follows:
    
         ? as an application/x-x509-user-certificate MIME type
           (for browser certificates requested from Mozilla-based
           browsers which support the KEYGEN HTML tag).
    
    Using PKI Services
    - Using the end-user web pages
     - Summary of fields
      - For PKI Services V2R3 manual:
        Table 64 "Summary of fields in end-user web pages"
      - For PKI Services V2R4 manual:
        Table 66 "Summary of fields in end-user web pages"
    
        - Add the following note in the description for the
          "Key size" field:
    
          (Note: The KEYGEN HTML tag has been deprecated in some
           Mozilla-based browsers, in which case, no input field
           for the key size would be displayed on the request
           page.)
    
    Using PKI Services
    - Using the end-user web pages
     - Steps for requesting a new certificate
      - Replace the Note for Step 3 as follows:
    
        Note: You might need to click through some additional
        panels specific to your browser (for example, clicking
        Next on a Mozilla-based browser which supports the KEYGEN
        HTML tag or answering "Do you want to proceed?" on Internet
        Explorer) before the certificate request form appears.
    
      - Replace the Note for Step 4 as follows:
    
        Note: In the case of the one-year SSL browser certificate,
        fill in your common name. (See Table xx on page xxx for
        descriptions of fields.) If you are using a Mozilla-based
        browser which supports the KEYGEN HTML tag , select a key
        size from a drop-down list. Alternately, if you are using
        Internet Explorer, click the drop-down lists to select your
        cryptographic service provider and to specify whether to use
        strong private key protection.
    

Temporary fix

Comments

APAR Information

  • APAR number

    OA62152

  • Reported component name

    PKI SERVICES

  • Reported component ID

    5752XXPKI

  • Reported release

    7B0

  • Status

    CLOSED DOC

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2021-09-15

  • Closed date

    2021-09-28

  • Last modified date

    2021-12-08

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Publications Referenced
SA23228600    

Fix information

Applicable component levels

[{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SG19O"},"Platform":[{"code":"PF054","label":"z\/OS"}],"Version":"7B0"}]

Document Information

Modified date:
09 December 2021