ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Need help with SSL configuration

book

Article ID: 186368

calendar_today

Updated On:

Products

XCOM Data Transport XCOM Data Transport - z/OS XCOM - SUPPORT

Issue/Introduction

Transferring files from XCOM for z/OS to Unix with XCOM Data Transfer.

The SSL certificates were placed on both sides and put in the certs directory, but it didn't work.

Error Messages on the z/OS side

STARTING SECURE TCP/IP CONNECTION TO PORT=08045, IP=xx.xxx.xx.xx              

SECURE TCP/IP CONNECTION REQUESTED WITH DEST=AAAAU03S, PORT=08045,  IP=xx.xxx.xx.xx                                                              

SSLv3 protocol enabled. This is an obsolete and insecure protocol. It is  recommended to switch SSL_METHOD to TLS                                      

Txpi  308: TxpiInitSSL Failed msg = <error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate +++ SSL                

ERROR ACTIVATING SESSION - SESSION NOT ESTABLISHED                            

Txpi  227: Socket received 0 bytes: partner closed socket. Last error: 0      

SECURE TCP/IP CONNECTION ENDED WITH IP=76.252.68.63        

On the Unix side, the xcom.log shows

2020/03/11 15:27:49 TID=REMOTE PRG=xcomtcp PID=27710 IP=yy.yyy.yy.yy

    XCOMU0780E Txpi  308: TxpiInitSSL Failed msg = <error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed> value = 4294967295: 

 

Environment

Release : 12.0

Component : CA XCOM Data Transport for z/OS

Resolution

XCOM for z/OS is trying to establish an SSL connection to Unix. Therefore, for this particular connection, z/OS is the client and uses the 'INITIATE_SIDE' parameters in its SSL config file. Likewise, Unix is the server and uses the RECEIVE_SIDE parameters in its SSL config file.

Both partners require at least two items: CERTIFICATE and PRIVATEKEY. These items go together and are generated together. Each partner having VERIFY_CERTIFICATE set to YES also requires the items [CA] and [CA_DIRECTORY].

z/OS presented its CERTIFICATE to Unix and Unix is trying to verify it using [CA] (Unix side). This verification of the certificate is failing, most probably as [CA] (Unix side) does not include all the certificates needed to verify CERTIFICATE (z/OS side)

It is possible to perform this verification manually to see the full messages. To do that, you need to copy the [CERTIFICATE] (z/OS side) and the [CA] (Unix side) to the same folder on any box having the openssl software installed (either as part of XCOM or natively) and issue this openssl command:

'openssl verify -verbose -purpose sslclient -CAfile AAAA BBBB'

Where AAAA is a file containing [CERTIFICATE] (z/OS side) in pem format and BBBB is a file containing [CA] (Unix side) in pem format. The command will verify [CERTIFICATE] (z/OS side) using [CA] (Unix side) in the same way as it is done during the SSL handshake and the messages should clarify in detail why it doesn't verify.

Additional Information

If this does not resolve the problem it will be necessary to start over again.
Remove the certificates.
Use the XCOM scripts to create sample certificates
Perform loopback transfers independently to verify this works.
Introduce the CA (Certificate Authority) certificates