A fix is available
APAR status
Closed as new function.
Error description
Provide support in z/VM TCPIP for querying certificates within a specific GSKKYMAN certificate database. The query will list certificate labels and display certain attributes of the certificates such as the type, expiration date, trust status, key type and size, signature type and hash as well as the certificate chain.
Local fix
N/A
Problem summary
**************************************************************** * USERS AFFECTED: SSL server administrators and/or all users * * of GSKKYMAN certificate management utility. * **************************************************************** * PROBLEM DESCRIPTION: * **************************************************************** * RECOMMENDATION: APPLY PTF * **************************************************************** GSKKYMAN is a program that manages certificates in a key database. Prior to this APAR, there was no way to automatically display essential certificate information for all certificates in a database at one time. It was also very difficult to determine certificate chain hierarchy for signed certificates (i.e. Root Certificate > Intermediate Certificate > Entity/User Certificate). A user would manually need to open a database using the GSKKYMAN utility as follows to view certificate information in one of two ways: A: Using GSKKYMAN Utility: (Menu driven process) 1. Logon to the GSKADMIN Id 2. GSKKYMAN 3. 2 - Open database 4. Enter database name (For example, Database.kdb) 5. Enter database password. 6. 1 - Manage keys and certificates 7. Select the certificate number to view the information. 8. 1 - Show certificate information For Example - Certificate Information Label: Label_1 Record ID: 13 Issuer Record ID: 13 Trusted: Yes Version: 3 Serial number: 604a927e000c66a1 Issuer name: self ca root ibm ibm pok ny US Subject name: self ca root ibm ibm pok ny US Effective date: 2021/03/11 Signature algorithm: sha1WithRsaEncryption Issuer unique ID: None Subject unique ID: None Public key algorithm: rsaEncryption Public key size: 1024 Public key: 30 81 89 02 81 81 00 C6 97 54 A3 0E B9.. 22 18 01 6E B3 DD 65 CD FC 41 E4 79 16.. 66 9C 1E C9 BA F0 9B B1 C2 D9 BE 06 CF.. 7C 88 10 8E B5 EC 83 89 A4 9C 65 F1 BE.. 2C 98 83 3D 28 31 73 80 3A 51 57 56 19.. 4B BB B7 DF 9F 6B 44 C3 2D D6 EF 0C 25.. 44 E9 10 21 3E 01 C2 90 4B 8D B9 C4 FB.. D5 4D D3 46 FA 9D 4D 32 FA D1 46 F2 8E.. 3D E3 EB 07 E4 AA CB 02 03 01 00 01 Number of extensions: 4 Enter 1 to display extensions, 0 to return to menu: 0 **************************************************************** B: Using GSKKYMAN command interface: 1. GSKKYMAN -dcv -k Database.kdb 2. Enter database password. For Example - Label: <Label_2> Trusted: Yes Version: 3 Serial number: 6091450f0008d77c Issuer's Name: <CN=Label_2_CN,O=ibm,C=US> Subject's Name: <CN=Label_2_CN,O=ibm,C=US> Effective Date: 2021/05/04 12:58:55 Expiration Date: 2022/05/04 12:58:55 Signature algorithm: sha224WithRsaEncryption Issuer unique ID: None Subject unique ID: None Public key algorithm: rsaEncryption Public key size: 2048 Public key: 30 82 01 0A 02 82 01 01 00 BA BC E0 B0 AB E0 8F 98 10 7F A9 5B 31 E2 72 D5 E2 DC 68 A3 3B 6A 74 14 F6 ED D7 00 DE A5 9B 64 72 E6 8C 9C EB 27 BE 10 B0 E3 49 3F D6 27 16 75 95 59 81 EC 60 13 0B 15 9E 1D 63 AD 10 B0 3E AE C9 CA A9 39 03 98 24 C7 44 96 23 00 AE C1 95 7C 58 15 23 C2 1A D0 12 09 C7 A6 21 1C 7E 15 4D 04 A0 04 D8 27 34 67 14 90 84 15 B9 4F 02 43 E0 FC 17 AB 42 81 41 F7 C9 0B 79 77 D9 BA 2E 15 98 CE CD CC 63 80 D1 76 62 A1 EF DC 67 9E 8D 30 A6 B1 63 B2 00 03 BB 64 19 94 0E F2 3A EE 79 15 B6 02 C3 BE 55 82 48 E0 A9 5B BF F3 0D F2 BA D1 75 6B 8A 43 62 6C CB 1B D1 2E B7 12 C4 59 94 5D 36 47 0A A8 7A C6 26 05 EF F5 58 96 2D 23 66 3E AF B9 76 89 9F FD 7D 9A 0E 8E 75 A8 C9 64 45 51 A1 6D C5 75 CD C9 B9 33 16 ED D7 95 C8 08 80 0C 6E 4A 1B 94 CD 4E 3B FD 6D D0 EC 03 1C 9F A3 B3 E7 CB 02 03 01 00 01 Private key: Yes Default key: No Critical Extension: 1 keyUsage: Digital signature Non-repudiation Key encipherment Data encipherment Certificate signature CRL signature Critical Extension: 2 basicConstraints: Certification authority: <Yes> Non-critical Extension: 1 subjectKeyIdentifier: A5 E9 F0 CB 40 49 83 D8 09 84 06 9D DE E3 E4 AC C0 90 6F 17 Non-critical Extension: 2 authorityKeyIdentifier: Key ID: A5 E9 F0 CB 40 49 83 D8 09 84 06 9D DE.. C0 90 6F 17
Problem conclusion
Temporary fix
Comments
This APAR allows users to issue a new CERTMGR command for querying essential certificate information out of a specific certificate database. The CERTMGR command provides an automated way to interact with the GSKKYMAN utility. Additionally, this support will also help generate and display certificate chains that are linked to one another by their digital signatures. The CMS DEFAULTS command can be used to set the default database for the CERTMGR command. For Example - 1) To query certificates out of a specific database: CERTMGR QUERY Database /etc/gskadm/certmgr2.kdb Enter database password (press ENTER to cancel): <----- Certificate ----> <- Key -> <-Signature-> Self Type Expires Trust Type Size Type Hash Sign Label ------ ----------- ----- ---- ---- ----- ------- ---- ---------- Entity 19 Aug 2022 Yes ECC 320 RSA SHA-224 No Entity_1 Inter 27 Jun 2024 Yes RSA 2048 RSA SHA-224 No Inter_1 Root 04 May 2025 Yes RSA 2048 RSA SHA-224 Yes Root_1 Entity 19 Aug 2027 Yes ECC 320 RSA SHA-224 No Entity_2 Root 10 Jan 2028 Yes RSA 2048 RSA SHA-224 Yes Root_2 2) To display certificate chains out of a specific database: CERTMGR QUERY ( CHAIN Enter database password (press ENTER to cancel): Expires Label ----------- -------------------------------------------------- 04 May 2025 Root_1 27 Jun 2024 Inter_1 19 Aug 2022 Entity_1 10 Jan 2028 Root_2 19 Aug 2027 Entity_2
APAR Information
APAR number
PH40080
Reported component name
TCP/IP FOR Z/VM
Reported component ID
5735FAL00
Reported release
720
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
YesSpecatt / New Function / Xsystem
Submitted date
2021-08-24
Closed date
2021-11-30
Last modified date
2023-01-09
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI78359
Modules/Macros
CERTMGR DTCUME DTCUMEB FILTER HELP OPTION TCPBLHLP TCPBL492 TCPIP TCPIPGEN TYPE
GC24633005 | GC24629410 | GC24628612 | SC24633305 | SC24626003 |
SC24633107 |
Fix information
Fixed component name
TCP/IP FOR Z/VM
Fixed component ID
5735FAL00
Applicable component levels
R720 PSY UI78359
UP21/12/08 I 1000
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG27N"},"Platform":[{"code":"PF054","label":"z Systems"}],"Version":"720"}]
Document Information
Modified date:
09 January 2023