Storing ECuRep-required DigiCert CA Certificates into a z/VM Key Database
To be able to use a z/VM FTP client to connect securely to an IBM problem documentation site (ECuRep or TestCase) , you will need to add these CA certificates to the key database referenced by your SSL servers:
DigiCert Global Root CA Digicert Global Root G2You can download the certificates directly from this website into a browser:
https://www.digicert.com/digicert-root-certificates.htm
and then copy them yourself into a z/VM key database (using techniques of your own choosing)
Or, follow these steps to get the Base64 encoded versions of these certificate (presented here) loaded into your key database:
- Logon the GSKADMIN user ID
-
Create a CMS file to store the Global Root CA certificate, using the Xedit command:
xedit digicrca crt a
-
Copy and Paste
the following content into the DIGICRCA CRT file (be certain the BEGIN CERTIFICATE and END CERTIFICATE lines are included):-----BEGIN CERTIFICATE----- MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97 nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt 43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4 gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg 06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4= -----END CERTIFICATE-----
-
Issue these Xedit commands to save the certificate content:
recfm v
file -
Create a CMS file to store the Global Root G2 certificate, using the
Xedit command:
xedit digicrg2 crt a
-
Copy and Paste
the following content into the DIGICRG2 CRT file (be certain the BEGIN CERTIFICATE and END CERTIFICATE lines are included):-----BEGIN CERTIFICATE----- MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI 2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx 1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV 5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY 1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4 NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91 8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl MrY= -----END CERTIFICATE-----
-
Issue these Xedit commands to save the certificate content:
recfm v
file -
Issue the following commands to store the new certificate files in the BFS (Byte File System):
openvm put digicrca crt a digicrootca.crt (bfsline nl
openvm put digicrg2 crt a digicrootg2.crt (bfsline nl -
Open your key database using the gskkyman command and select option 7 to import
the new certificates.
Note:
When labels are specified for the root certificates, you can enclose the label text in double quotes, so more descriptive text can be used for certificate identification. For example:... Enter import file name (press ENTER to return to menu): digicrootca.crt Enter label (press ENTER to return to menu): "DigiCert Global Root CA" Certificate imported. Press ENTER to continue. ... ... Enter import file name (press ENTER to return to menu): digicrootg2.crt Enter label (press ENTER to return to menu): "Digicert Global Root G2" Certificate imported. Press ENTER to continue. ...
If such labels are desired, be certain a CP TERMINAL ESCAPE character is not in effect when gskkyman is used. This can be accomplished by issuing the command CP TERMINAL ESCAPE OFF before gskkyman is invoked. -
If the SSL server pool already has been configured for use and is operational, issue the the
SSLADMIN REFRESH command, to instruct the SSL server to update internally-maintained key
database information:
ssladmin refresh
If the SSL server pool has not been configured for use, this must be done before any ECuRep or TestCase secure connections can be tested and verified. When the SSL server pool is operational, resume with the connection verification steps that follow.
- Logoff the GSKADMIN user ID
- Logon the TCPMAINT user ID
-
Test the connection to verify it works and is secure, using the z/VM FTP client.
Issue these commands:
ftp ftps.ecurep.ibm.com (secure {or, ftp testcase.boulder.ibm.com (secure}
{Log in with your IBM Support File Transfer id and password}
get welcome.msg
quitAfter the FTP is command issued, you should see an AUTH TLS command issued which secures the connection. After the FTP command session is ended, a file named WELCOME MSG A should exist that you can view using Xedit.
Note:
If a firewall is being used, make sure the connection is in PASSIVE mode and request that ports 65024-65535 be opened for use. If these ports cannot be made available, then use the FTP CCC (Clear Command Channel) subcommand after credentials are exchanged, to set the control connection to clear text before any commands that will open a secure data connection (for example: ls, dir, get, put) are issued.