IBM Support

PH40080: Z/VM TCPIP QUERY GSKKYMAN CERTIFICATE SUPPORT

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • Provide support in z/VM TCPIP for querying certificates within a
    specific GSKKYMAN certificate database.
    
    The query will list certificate labels and display certain
    attributes of the certificates such as the type, expiration
    date, trust status, key type and size, signature type and hash
    as well as the certificate chain.
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED: SSL server administrators and/or all users   *
    *                 of GSKKYMAN certificate management utility.  *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    ****************************************************************
    * RECOMMENDATION: APPLY PTF                                    *
    ****************************************************************
    GSKKYMAN is a program that manages certificates in a key
    database.  Prior to this APAR, there was no way to automatically
    display essential certificate information for all certificates
    in a database at one time.  It was also very difficult to
    determine certificate chain hierarchy for signed certificates
    (i.e. Root Certificate > Intermediate Certificate > Entity/User
    Certificate).  A user would manually need to open a database
    using the GSKKYMAN utility as follows to view certificate
    information in one of two ways:
    
    A: Using GSKKYMAN Utility: (Menu driven process)
      1. Logon to the GSKADMIN Id
      2. GSKKYMAN
      3. 2 - Open database
      4. Enter database name (For example, Database.kdb)
      5. Enter database password.
      6. 1 - Manage keys and certificates
      7. Select the certificate number to view the information.
      8. 1 - Show certificate information
    
      For Example -
                           Certificate Information
    
                    Label: Label_1
                Record ID: 13
         Issuer Record ID: 13
                  Trusted: Yes
                  Version: 3
            Serial number: 604a927e000c66a1
              Issuer name: self ca root
                           ibm
                           ibm
                           pok
                           ny
                           US
             Subject name: self ca root
                           ibm
                           ibm
                           pok
                           ny
                           US
           Effective date: 2021/03/11
      Signature algorithm: sha1WithRsaEncryption
          Issuer unique ID: None
         Subject unique ID: None
      Public key algorithm: rsaEncryption
           Public key size: 1024
                Public key: 30 81 89 02 81 81 00 C6 97 54 A3 0E B9..
                            22 18 01 6E B3 DD 65 CD FC 41 E4 79 16..
                            66 9C 1E C9 BA F0 9B B1 C2 D9 BE 06 CF..
                            7C 88 10 8E B5 EC 83 89 A4 9C 65 F1 BE..
                            2C 98 83 3D 28 31 73 80 3A 51 57 56 19..
                            4B BB B7 DF 9F 6B 44 C3 2D D6 EF 0C 25..
                            44 E9 10 21 3E 01 C2 90 4B 8D B9 C4 FB..
                            D5 4D D3 46 FA 9D 4D 32 FA D1 46 F2 8E..
                            3D E3 EB 07 E4 AA CB 02 03 01 00 01
      Number of extensions: 4
    
    Enter 1 to display extensions, 0 to return to menu:
    0
    
    ****************************************************************
    
    B: Using GSKKYMAN command interface:
    
      1. GSKKYMAN -dcv -k Database.kdb
      2. Enter database password.
    
      For Example -
    
        Label:
                <Label_2>
        Trusted:
                Yes
        Version:
                3
        Serial number:
                6091450f0008d77c
        Issuer's Name:
                <CN=Label_2_CN,O=ibm,C=US>
        Subject's Name:
                <CN=Label_2_CN,O=ibm,C=US>
        Effective Date:
                2021/05/04 12:58:55
        Expiration Date:
                2022/05/04 12:58:55
        Signature algorithm:
                sha224WithRsaEncryption
        Issuer unique ID:
                None
        Subject unique ID:
                None
        Public key algorithm:
                rsaEncryption
        Public key size:
                2048
        Public key:
                30 82 01 0A 02 82 01 01 00 BA BC E0 B0 AB E0 8F
                98 10 7F A9 5B 31 E2 72 D5 E2 DC 68 A3 3B 6A 74
                14 F6 ED D7 00 DE A5 9B 64 72 E6 8C 9C EB 27 BE
                10 B0 E3 49 3F D6 27 16 75 95 59 81 EC 60 13 0B
                15 9E 1D 63 AD 10 B0 3E AE C9 CA A9 39 03 98 24
                C7 44 96 23 00 AE C1 95 7C 58 15 23 C2 1A D0 12
                09 C7 A6 21 1C 7E 15 4D 04 A0 04 D8 27 34 67 14
                90 84 15 B9 4F 02 43 E0 FC 17 AB 42 81 41 F7 C9
                0B 79 77 D9 BA 2E 15 98 CE CD CC 63 80 D1 76 62
                A1 EF DC 67 9E 8D 30 A6 B1 63 B2 00 03 BB 64 19
                94 0E F2 3A EE 79 15 B6 02 C3 BE 55 82 48 E0 A9
                5B BF F3 0D F2 BA D1 75 6B 8A 43 62 6C CB 1B D1
                2E B7 12 C4 59 94 5D 36 47 0A A8 7A C6 26 05 EF
                F5 58 96 2D 23 66 3E AF B9 76 89 9F FD 7D 9A 0E
                8E 75 A8 C9 64 45 51 A1 6D C5 75 CD C9 B9 33 16
                ED D7 95 C8 08 80 0C 6E 4A 1B 94 CD 4E 3B FD 6D
                D0 EC 03 1C 9F A3 B3 E7 CB 02 03 01 00 01
        Private key:
                Yes
        Default key:
                No
        Critical Extension: 1
                keyUsage:
                        Digital signature
                        Non-repudiation
                        Key encipherment
                        Data encipherment
                        Certificate signature
                        CRL signature
        Critical Extension: 2
                basicConstraints:
                        Certification authority:
                                <Yes>
        Non-critical Extension: 1
                subjectKeyIdentifier:
                    A5 E9 F0 CB 40 49 83 D8 09 84 06 9D DE E3 E4 AC
                    C0 90 6F 17
        Non-critical Extension: 2
                authorityKeyIdentifier:
                        Key ID:
                            A5 E9 F0 CB 40 49 83 D8 09 84 06 9D DE..
                            C0 90 6F 17
    

Problem conclusion

Temporary fix

Comments

  • This APAR allows users to issue a new CERTMGR command for
    querying essential certificate information out of a specific
    certificate database. The CERTMGR command provides an automated
    way to interact with the GSKKYMAN utility. Additionally, this
    support will also help generate and display certificate chains
    that are linked to one another by their digital signatures.
    The CMS DEFAULTS command can be used to set the default
    database for the CERTMGR command.
    
    For Example -
    
    1) To query certificates out of a specific database:
    
    CERTMGR QUERY
    Database /etc/gskadm/certmgr2.kdb
    
    Enter database password (press ENTER to cancel):
    
    <----- Certificate ----> <- Key -> <-Signature-> Self
     Type    Expires   Trust Type Size Type   Hash   Sign   Label
    ------ ----------- ----- ---- ---- ----- ------- ---- ----------
    Entity 19 Aug 2022  Yes  ECC   320 RSA   SHA-224 No   Entity_1
    Inter  27 Jun 2024  Yes  RSA  2048 RSA   SHA-224 No   Inter_1
    Root   04 May 2025  Yes  RSA  2048 RSA   SHA-224 Yes  Root_1
    Entity 19 Aug 2027  Yes  ECC   320 RSA   SHA-224 No   Entity_2
    Root   10 Jan 2028  Yes  RSA  2048 RSA   SHA-224 Yes  Root_2
    
    2) To display certificate chains out of a specific database:
    
    CERTMGR QUERY ( CHAIN
    
    Enter database password (press ENTER to cancel):
    
      Expires                          Label
    -----------   --------------------------------------------------
    04 May 2025   Root_1
    27 Jun 2024     Inter_1
    19 Aug 2022   Entity_1
    10 Jan 2028   Root_2
    19 Aug 2027     Entity_2
    

APAR Information

  • APAR number

    PH40080

  • Reported component name

    TCP/IP FOR Z/VM

  • Reported component ID

    5735FAL00

  • Reported release

    720

  • Status

    CLOSED UR1

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2021-08-24

  • Closed date

    2021-11-30

  • Last modified date

    2021-12-08

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UI78359

Modules/Macros

  • CERTMGR  DTCUME   DTCUMEB  FILTER   HELP     OPTION   TCPBLHLP
    TCPBL492 TCPIP    TCPIPGEN TYPE
    

Publications Referenced
GC24633005GC24629410GC24628612SC24633305SC24626003
SC24633107    

Fix information

  • Fixed component name

    TCP/IP FOR Z/VM

  • Fixed component ID

    5735FAL00

Applicable component levels

  • R720 PSY UI78359

       UP21/12/08 I 1000

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG27N"},"Platform":[{"code":"PF054","label":"z\/OS"}],"Version":"720"}]

Document Information

Modified date:
09 December 2021