TCP/IP SSL Server (Linux-based Server) - Configuration
Certificate Testing Examples, Hints and Tips

Note:
The information that follows is applicable to z/VM Linux-based SSL server implementations only (those provided with TCP/IP for z/VM levels prior to TCP/IP level 540).

   SSL-capable Clients

For testing your SSL server configuration, you will need an SSL-capable client. Several SSL-capable clients are listed here:

  • IBM Personal Communications (commonly referred to as "PCOM") Telnet client
  • BlueZone Telnet client
  • BlueZone FTP client
  • Netscape browser (HTTP and FTP protocols)

   General Certificate Information

Most SSL certificate databases (including that used by the SSL server) have Certifying Authority (CA) certificates for a number of well-known Certifying Authorities (CAs).

However, if you are using a self-signed certificate or are obtaining a free test certificate for testing purposes, you need to provide a CA certificate to the client so it can be used for verification purposes.

Note:
For more information and details about the commands mentioned here, consult the chapter titled Configuring the SSL Server in z/VM: TCP/IP Level 3A0 Planning and Customization.

   Using Self-signed and Test Certificates

A self-signed certificate acts as both a server certificate and a CA certificate. This certificate must be present in both the SSL server's certificate database on the z/VM host, as well as in a client's database for use as a CA certificate. Self-signed certificates might be used for local testing an application; they should not be used in a production environment.

To use a self-signed certificate:

  1. Create a self-signed certificate on the z/VM system

    • Create a label X509INFO file with information for the certificate

    • Issue the SSLADMIN SELF command to create and store the certificate in the certificate database. A copy is placed in a file with a file type of: X509CERT

  2. Send the label X509CERT certificate from z/VM to your (PC) client

  3. Receive the label X509CERT certificate into the client certificate database.

   Free Test Certificates

Some CAs (such as Thawte) offer free test CA certificates for testing use. Representative steps for obtaining such a certificate, based on the Thawte web site, follow:

  1. From the Thawte home page, select the FREE Test Certificates link

  2. Obtain a test root certificate in text format (this will act as the CA certificate)

  3. Cut and paste the CA certificate into a CMS file that has a filetype of X509CERT

  4. Issue the SSLADMIN STORE command for the test CA certificate (the test certificate is verified when it is stored)

  5. Create the X509INFO file with the certificate request information

  6. Issue the SSLADMIN REQUEST command to create the certificate request

  7. Cut and paste the contents of the resulting CERTREQ file into the CSR window on the Thawte web site

  8. Click on Generate Test Certificate

  9. Cut and paste the certificate into a CMS file that has a filetype of X509CERT

  10. Issue the SSLADMIN STORE command for the test server certificate

Notes:
If you intend to use the free certificate for web browser testing, you are done. (Thawte stored the free CA certificate in the browser's certificate database, and you have stored the CA and server certificate in the z/VM SSL server certificate database).

If you intend to use the free certificate for PCOM Telnet testing, you need to store the CA certificate in the PCOM certificate database, using these steps:

  1. Send the label X509CERT certificate from z/VM to your (PC) client

  2. Receive the label X509CERT certificate into the client certificate database.

   Sending Certificates from z/VM to a (PC) Client

  • An FTP ASCII-mode file transfer should provide an intact copy of a CA certificate to a given client.

  • If you XEDIT a certificate on z/VM, copy it into an editor "clipboard" and then paste it into a plain-text editor session (such as Microsoft® Notepad or WordPad) session, be certain that you remove all trailing blanks from the end of all lines of the file. If this is not done, you will likely encounter encoding/decoding errors when the certificate is received.

  • If you copy a certificate from a web page into an editor "clipboard" and paste it into a Notepad or WordPad session, trailing blanks do not appear to present any problems.

   Receiving Certificates Into the PCOM Certificate Database

The steps listed here illustrate how to receive a CA certificate into the IBM Personal Communications (PCOM) Certificate Database on a Microsoft® Windows NT system.

Note:
Consult the documentation for your specific client(s) for detailed information about how to receive CA certificates for use with SSL support.

  • For PCOM, use the Certificate Management utility, which can be accessed using the Windows NT Taskbar Start button and these selections, in order:

    1. Start
    2. Programs
    3. IBM Personal Communications
    4. Utilities
    5. Certificate Management

  • To see what certificates already exist or to receive a certificate, perform the following:

    1. Open the Client KeyDataBase, by selecting:
      • KeyDataBase File
      • Open
      • PCommClientKeyDb.kdb

    2. Enter the correct password (for which the default is: pcomm)
    3. Select Signer Certificate
    4. Click Add
    5. Provide the file name where the certificate is stored
    6. Click OK