We are testing SSL enabled transfers to our AIX server, we have installed the relevant certificate's and updated the configssl.cnf file with the relevant certificate paths and password.
A SSL loop back test gives us the following error :
2022/12/22 10:20:11 TID=555769 PRG=xcomtcp PID=12976186 IP=127.0.0.1 PORT=8045
XCOMU0780E Txpi 307: TxpiSSLConfig Failed msg = <ConfigSSL: Missing or invalid </opt/CA/XCOM/config/configssl.cnf> file.> value = 0:
2022/12/22 10:20:11 TID=555769
#XCOMU0298E Unable to allocate remote transaction program: XCOMU0780E Txpi 307: TxpiSSLConfig Failed msg = <ConfigSSL: Missing or invalid </
opt/CA/XCOM/config/configssl.cnf> file.> value = 0:
XCOM trace file shows the error occurs on line 175 of file configssl.cnf:
E - catoossl.c(5817): Txpi 307: TxpiSSLConfig Failed msg = <ConfigSSL: Missing or invalid </opt/CA/XCOM/config/configssl.cnf> file.> value = 0
E - catoossl.c(5818): Error 307
E - txpierr.c(179): Not setting dwReturnCode; old value: 307
E - catoossl.c(5818): Txpi 307: TxpiSSLConfig Failed msg = <error:0E065068:configuration file routines:STR_COPY:variable has no value +++ line 175> value = 0
Lines 175 and 176 of the configssl.cnf file are for the PASSWORD values which contain "$":
INITIATE_SIDE = SAmp123XX$#ss45
RECEIVE_SIDE = SAmp123XX$#ss45
The password is definitely correct for the certificate.
NOTE: Please be aware that the above password value is just a sample for the purpose of this article.
Release : 11.6
The XCOM trace file indicates it is the initial parsing of the configssl.cnf file that is failing i.e. it is not getting as far as checking the password value validity against the certificate.
Support ran tests in house and found that the file parsing is failing because the PASSWORD value contains a "$" i.e. after removing the "$" the file parsed successfully.
XCOM Engineering advised that it is an openssl library that XCOM is using which is parsing the file contents and the "$" in the value appears to be a special character that needs to be escaped or quoted: https://www.openssl.org/docs/man1.0.2/man5/config.html
Support found that all these options were successful in parsing the file:
1. Escape the $ with a \ :
INITIATE_SIDE = SAmp123XX\$#ss45
RECEIVE_SIDE = SAmp123XX\$#ss45
2. Double quote the $ :
INITIATE_SIDE = SAmp123XX"$"#ss45
RECEIVE_SIDE = SAmp123XX"$"#ss45
3. Double quote the whole string :
INITIATE_SIDE = "SAmp123XX$#ss45"
RECEIVE_SIDE = "SAmp123XX$#ss45"
4. Single quote the $ :
INITIATE_SIDE = SAmp123XX'$'#ss45
RECEIVE_SIDE = SAmp123XX'$'#ss45
5. Single quote the whole string :
INITIATE_SIDE = 'SAmp123XX$#ss45'
RECEIVE_SIDE = 'SAmp123XX$#ss45'
Options #3 or #5 maybe the easiest to use and least prone to error.
It was confirmed that using option #3 did resolve both the file parsing problem and gave a successful certificate validation.