ERROR = Unable to find valid certification path to requested target - https://ftpdocs.broadcom.com/WebInterface/../BroadcomProdInfo.txt

book

Article ID: 211000

calendar_today

Updated On:

Products

CA Common Services for z/OS

Issue/Introduction

You are setting up IBM z/OSMF to manage our Broadcom CA products for the first time and followed the instructions in...

https://techdocs.broadcom.com/us/en/ca-mainframe-software/traditional-management/mainframe-common-maintenance-procedures/1-0/getting-started/z-osmf-requirements/import-product-information-into-z-osmf.html#concept.dita_edf5e649-0353-4224-bfc2-dfaa0735a8bf_LoadfromURL

Attempting to retrieve the End-Of-Service information we receive error..

The request could not be completed because an error occurred.
Error: An unexpected error occurred while connecting to the End Of Service file server at https://ftpdocs.broadcom.com/WebInterface/phpdocs/0/MSPSaccount/
COMPAT/JSON/BroadcomProdInfo.txt. Error = unable to find valid certification path to requested target
 
The z/OSMF STDERR shows..
CWPKI0823E: SSL HANDSHAKE FAILURE:  A signer with SubjectDN .CN=ftp-qa.broadcom.com, OU=IT, O=Broadcom Inc, L=San Jose, ST=California, C=US. was sent
 from the host .ftpdocs.broadcom.com:443..  The signer might need to be added to local trust store .safkeyringhybrid:///IZUKeyring.IZUDFLT., located in SSL conf
iguration alias .izuSSLConfig..  The extended error message from the SSL handshake exception is: .unable to find valid certification path to requested target.
 
 
There are no instructions for obtaining/adding the required Broadcom signer to the local trust store. What was missed with the setup?

Cause

The keyring does not contain a Digicert Intermediate CA certificate.

To confirm, get list of keyring that is attached to IZUSVR, which should be the ACID that the z/OSMF task runs under.

Environment

Release : 15.0
Component : CCS390 - CA COMMON SERVICES FOR Z/OS

Resolution

Using the same Digicert Intermediate CA certificate that was defined to the keyring for the SMP/E Internet Service Retrieval, connect this cert to the keyring that is attached to the ACID being used for z/OSMF.

Be sure to connect as USAGE(CERTAUTH).