search cancel

Using self-signed certificates in ACF2 for z/OSMF results in NET::ERR_CERT_COMMON_NAME_INVALID error in browser

book

Article ID: 252890

calendar_today

Updated On:

Products

ACF2 ACF2 - MISC ACF2 - z/OS

Issue/Introduction

The following error message is seen in the browser when trying to connect to z/OSMF for the first time using internally signed certificates for the HTTPS connection:

NET::ERR_CERT_COMMON_NAME_INVALID

Clicking on "Advanced" provides the following message:

The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.

Resolution

  1. The PERSONAL certificate will need to be re-created by specifying an ALTNAME parameter on the GENCERT. The altname DOMAIN should match the domain name specified for the CN field. An IP address can also be specified in ALTNAME if desired. 

    GENCERT IZUSVR.cert01 -
    SUBJ(CN=‘server.domain.example.com’) -
    ALTNAME(DOMAIN=server.domain.example.com) -
    LABEL(DefaultzOSMFCert.IZUDFLT) SIZE(2048) -
    SIGNWITH(CERTAUTH LABEL(zOSMFCA)) -          
    EXPIRE(xx/xx/xxxx) 
     
  2. After certificate recreation, attach the certificate to the appropriate KEYRING:

    CONNECT CERTDATA(IZUSVR.cert01)  KEYRING(IZUSVR.keyr01) DEFAULT

  3. Issue the following rebuild commands:

    F ACF2,REBUILD(USR),CLASS(P)
    F ACF2,OMVS

  4. The IZUSVR1 task will need to be re-started in order to read in the changes to the keyring.