Cannot load CA Certificates in Pam using TLS.

book

Article ID: 53051

calendar_today

Updated On:

Products

CA Panvalet CA Top Secret CA Top Secret - LDAP

Issue/Introduction

Problem:

Pam Server works fine without TLS. When TLS is in place the zLinux guest does not verify the PAM server's certificate and the following errors are received:

zn015 CA_esm_proxy[8999]: tls.c:766: can't load CA certificates from dhscatre.pem: No such file or directory. zn015 CA_esm_proxy[8999]: tls.c:587: 2199054764368:error:02001002:system library:fopen:No such file or directory: file name

On the z/0S side you may see the following errors:

TLS error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
in s3_pkt.c at 1054
TLS error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
+++ SSL alert number 40

Resolution:

If you are receiving these errors or having problems loading the CA certificates in Pam, start debugging by running a proxy server trace.

Add the following to the command that starts the proxy server to get a proxy server trace:

"--trace-file=<filename> --trace-level=511"

Then try to connect to Pam using the TSS CA certificate.
Look for the following in the trace log:

+++TLS certificate verification: no subjectAltName section matches usct

If you see the above error then there are two options to correct the problem.

  1. Add "tls-checkpeer off" to the CA_esm.conf file, or

  2. regenerate the server certificate with a subjectAltName entry that matches the nodename on the esm-host option.

Environment

Release:
Component: PANVLT