IBM Support

Where is my server's personal certificate?

Technical Blog Post


Abstract

Where is my server's personal certificate?

Body

image Here is a common problem I see pretty often: You log on to the WebSphere z/OS administrative console and follow this breadcrumb trail to look at your personal certificate: (Assuming you know the targeted SSL configuration, I will provide details on how you can figure that out in the next few paragraphs).

 

SSL certificate and key management > SSL configurations > NodeDefaultSSLSettings > Key stores and certificates > NodeDefaultKeyStore > Personal certificates

 

 

But there are none! The list is empty. However, you know the keyring/userid for the controller is connected to a personal certificate through RACF or other SAF product. This indicates that there is a problem with the server's personal certificate and in order to proceed to use the server with global security ON, this has to be fixed. I wanted to share a checklist of things to go through to resolve this.

 

 

First of all, which ID/keyring pair are we talking about and how do we know it's the right one? In the case of an ND system, we need to look at the Deployment Manager Controller's user ID. In the case of a Base system we look at the Application Server Controller's user ID. Let us assume the user ID for the controller in question is ASCR1. In the case of a servant's personal certificate, you would consider the particular servant's user ID.

 

 

The next piece is the keyring name. The following screen shot verifies that "NodeDefaultSSLSettings" is the SSL configuration used for both inbound and outbound SSL endpoints.

 


image

 

 

 

The next step would be to go look at the details for "NodeDefaultSSLSettings" as shown below:


image

 

 

 

 

We see the keyring name is WASKeyring.SY1.

 

 

 

Next, we can issue the RACF command to list the this keyring, to see which certificates the user ID/keyring is connected to.

 

 

RACDCERT LISTRING(WASKeyring.SY1) ID(ACR1)

 

 

Ring:
    >WASKeyring.SY1<
Certificate Label Name                 Cert Owner               USAGE                       DEFAULT
--------------------------------                 ------------                   --------                          -------
DefaultWASCert.SY1                       ID(ASCR1)              PERSONAL               YES
WebSphereCA                                 CERTAUTH             CERTAUTH               NO

 

 

So now we have proved that the keyring/user ID pair is connected to a personal certificate in RACF. However the fact that it is not viewable in the administrative console indicates that there is a problem with it. The most common problems I see are:
 

 

  • Personal Certificate not in a valid date range, it has either expired or it exists beyond the date range of the CERTAUTH that signed it. So for example if the CERTAUTH is valid from 12/01/2005 to 12/01/2020, the personal certificate must exist between those dates.
  • Personal Certificate must have a status of TRUST.
  • Personal Certificate must have a private key.
  • Personal Certificate is not marked default. (Note the usage=default in the above output.)

 

This is what a valid personal certificate would look like with a matching good CERTAUTH:

 

 

RACDCERT LIST (label('DefaultWASCert.SY1')) ID(ASCR1)

 

 

Label: DefaultWASCert.SY1
Certificate ID: 2QjDwuLo1MPZ8cSFhoGkk6PmweLDhZmjS+Lo8UBA
Status: TRUST
Start Date: 2010/01/07 00:00:00
End Date: 2010/12/31 23:59:59
Serial Number:
   >02<
Issuer's Name:
   >CN=WAS CertAuth for Security Domain.OU=SY1<
Subject's Name:
   >CN=TEST.IBM.COM.OU=SY1.O=IBM<
Private Key Type: Non-ICSF
Private Key Size: 1024
Ring Associations:
 Ring Owner: CBSYMCR1
 Ring:
   >WASKeyring.SY1<

 

 

Matching CERTAUTH:

 

 

RACDCERT CERTAUTH LIST(LABEL('WebSphereCA'))

 

 

Label: WebSphereCA
Certificate ID: 2QiJmZmDhZmjgeaFguKXiIWZhcPB
Status: TRUST
Start Date: 2009/01/07 00:00:00
End Date: 2011/12/31 23:59:59
Serial Number:
   >00<
Issuer's Name:
   >CN=WAS CertAuth for Security Domain.OU=SY1<
Subject's Name:
   >CN=WAS CertAuth for Security Domain.OU=SY1<
Key Usage: CERTSIGN
Private Key Type: Non-ICSF
Private Key Size: 1024
Ring Associations:
 Ring Owner: ASCR1
 Ring:
   >WASKeyring.SY1<

 

 

The fields in bold are what you should focus on to check out the points I mentioned above. If the dates are invalid, they need to be corrected. An indication that there is no private key in the certificate would be:

 

 

Private Key Type: None

 

 

You may need to contact your security administration team to correct the certificate, but once that is correctly done, you should be able to view the personal certificate in the console as expected. This should also fix your server's SSL communication issues.

 


image

 

 

I hope this provided some useful information for you, let me know if you have any comments, Thanks!

 

 

 

[{"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Product":{"code":"","label":""},"Component":"","Platform":[{"code":"","label":""}],"Version":"","Edition":""}]

UID

ibm11080561