OA62152: PKI SERVICES BOOK UPDATES FOR MOZILLA <KEYGEN> TAG REMOVAL

APAR status

• Closed as documentation error.

Error description

• Removal of the KEYGEN tag support from some Mozilla based
  browsers affects PKI Services browser certificate support.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED:                                              *
  * z/OS PKI Services users who use Mozilla-based browser to     *
  * request browser certificate using the browser templates      *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  * Mozilla-based browser, eg, FireFox, has removed the KEYGEN   *
  * HTML tag support which z/OS PKI Services uses to generate    *
  * the key pair for the request when the user chooses any of    *
  * the                                                          *
  * following browser type templates:                            *
  * 1-Year PKI SSL Browser Certificate                           *
  * 1-Year PKI S/MIME Browser Certificate                        *
  * 2-Year PKI Browser Certificate For Authenticating To z/OS    *
  * n-Year PKI Certificate for Extensions Demonstration          *
  * 1-Year SAF Browser Certificate                               *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  

Problem conclusion

• The z/OS PKI Services Guide and Reference (SA23-2286-00)
  book is updated as follows:
  
  Planning
  - Introducing PKI Services
   - Supported standards
  
     Update the Mozilla-based browsers description under
     'Browser certificate for' as follows:
  
     - Mozilla-based browsers such as Mozilla Firefox which
       support the KEYGEN HTML tag. Note that the KEYGEN HTML tag
       has been deprecated in some Mozilla-based browsers. You
       can not request browser certificate from such browsers.
  
  Planning
  - Introducing PKI Services
    - Supported certificate types
  
      Add a note before Table 2 "Types of certificate you can
      request" as follows:
  
      Note: Browser certificates rely on either the KEYGEN HTML
      tag of Mozilla-based browsers or the ActiveX cryptographic
      service providers of the Microsoft Internet Explorer browser
      to generate key pairs. If you use a Mozilla-based browser
      which does not support the KEYGEN HTML tag, or you use a
      Microsoft browser that does not support ActiveX, you can
      not request browser certificates using the templates
      containing the name 'browser'. You may use the
      'One-year PKI generated key certificate' template instead.
  
  Customizing PKI Services
  - Customizing the end user web application if you use
    REXX CGI execs
   - Contents of the pkiserv.tmpl certifcates templates file
    - What are substitution variables
     - Update Table 30 "Substitution variables", add a note for
       "browsertype" substitution variable as follows:
  
       (Note: The KEYGEN HTML tag has been deprecated in some
        Mozilla-based browsers. INSERT PublicKeyNS will not work
        on those browsers. Therefore no input field for the key
        size would be displayed on the request page.)
  
  Customizing PKI Services
  - Customizing the end user web application if you use
    REXX CGI execs
   - Contents of the pkiserv.tmpl certifcates templates file
    - INSERT sections
     - Named fields in INSERT sections
      - Update Table 32 "Name Fields in INSERT sections"
        description for "PublicKeyNS" in parentheses as follows:
  
        (This field is for Mozilla-based browsers which support
         the KEYGEN HTML tag only.)
  
        and add a note to the description for "PublicKeyNS" as
        follows:
  
        (Note: The KEYGEN HTML tag has been deprecated in some
        Mozilla-based browsers. INSERT PublicKeyNS will not work
        on those browsers. Therefore no input field for the key
        size would be displayed on the request page.)
  
      - Update Table 32 "Name Fields in INSERT sections"
        description for "PublicKey2NS" in parentheses as follows:
  
        (This field is for Mozilla-based browsers which support
         the KEYGEN HTML tag only.)
  
        and add a note to the description for "PublicKey2NS" as
        follows:
  
        (Note: The KEYGEN HTML tag has been deprecated in some
        Mozilla-based browsers. INSERT PublicKeyNS will not work
        on those browsers. Therefore no input field for the key
        size would be displayed on the request page.)
  
  Customizing PKI Services
  - Customizing the end user web application if you use
    REXX CGI execs
   - Contents of the pkiserv.tmpl certifcates templates file
    - Templates that PKI Services provides
     - Add the following note before Table 35
       "Certificate templates PKI Services provides":
  
       Note: Browser certificates rely on either the KEYGEN HTML
       tag of Mozilla-based browsers or the ActiveX cryptographic
       service providers of the Microsoft Internet Explorer
  browser
       to generate key pairs. If you use a Mozilla-based browser
       which does not support the KEYGEN HTML tag, or you use a
       Microsoft browser that does not support ActiveX, you can
       not request browser certificates using the templates
       containing the name 'browser'. You may use the
       'One-year PKI generated key certificate' template instead.
  
  Customizing PKI Services
  - Customizing the end user web application if you use
    REXX CGI execs
   - Relationship between CGIs and the pkiserv.tmpl file
    - Table 41 "CGI actions for end-user web pages"
     - update the description for "cagetcert.rexx" for
       Mozilla-based browsers in the third bullet as follows:
  
       ? as an application/x-x509-user-certificate MIME type
         (for browser certificates requested from Mozilla-based
         browsers which support the KEYGEN HTML tag).
  
  Using PKI Services
  - Using the end-user web pages
   - Summary of fields
    - For PKI Services V2R3 manual:
      Table 64 "Summary of fields in end-user web pages"
    - For PKI Services V2R4 manual:
      Table 66 "Summary of fields in end-user web pages"
  
      - Add the following note in the description for the
        "Key size" field:
  
        (Note: The KEYGEN HTML tag has been deprecated in some
         Mozilla-based browsers, in which case, no input field
         for the key size would be displayed on the request
         page.)
  
  Using PKI Services
  - Using the end-user web pages
   - Steps for requesting a new certificate
    - Replace the Note for Step 3 as follows:
  
      Note: You might need to click through some additional
      panels specific to your browser (for example, clicking
      Next on a Mozilla-based browser which supports the KEYGEN
      HTML tag or answering "Do you want to proceed?" on Internet
      Explorer) before the certificate request form appears.
  
    - Replace the Note for Step 4 as follows:
  
      Note: In the case of the one-year SSL browser certificate,
      fill in your common name. (See Table xx on page xxx for
      descriptions of fields.) If you are using a Mozilla-based
      browser which supports the KEYGEN HTML tag , select a key
      size from a drop-down list. Alternately, if you are using
      Internet Explorer, click the drop-down lists to select your
      cryptographic service provider and to specify whether to use
      strong private key protection.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels