IBM Support

How to create, add or convert certificates to CustomizedCAs.p12 file on z/OS for Host On-Demand

Question & Answer


Question

How do you create, add or convert certificates to the IBM Rational Host On-Demand CustomizedCAs.p12 file on z/OS?

Cause

When using self-signed certificates or certificates from unknown certificate authorities for sessions within Host On-Demand, the certificates must be added to the CustomizedCAs.p12 file. This allows the clients to trust the server from which it was served. If this file is not available to the client, starting the session will result in error COM 662, Server presented a certificate that is not trusted.

Answer

To create and add certificates to the CustomizedCAs.p12 on z/OS, use the Java P12keyring utility provided by Host On-Demand.

Here are some rules and information about working with the utility and CustomizedCAs.p12 file:

  1. For the following commands you must be in OMVS shell or UNIX System Services using telnet
  2. The password for the CustomizedCAs.p12 file must be hod
  3. The Java command must be on one line or you can use the continuation character, \
  4. The Java command must be entered while in the publish directory (by default /usr/lpp/HOD/hostondemand/HOD )
  5. If the CustomizedCAs.p12 file does not exist, the utility will create one
  6. The commands can be put in a shell script for ease of use. File must have execute permissions set (for example 755)

To add a telnet certificate using the connect option

Use this option if the telnet secure port is active.

Java -classpath .:/usr/lpp/HOD/hostondemand/lib/sm.zip com.ibm.hod5sslight.tools.P12Keyring CustomizedCAs connect IP:port

where
    • IP is the IP address of the Host you are trying to connect to
    • Port is the SSL port on the TN3270 server

To add telnet certificate using the add command

Use this option if unable to connect to telnet server, server down or network down. You must have the binary der file available on the system. If the binary der file is in a different directory, provide the explicit path name of the file.

java -classpath .:/usr/lpp/HOD/hostondemand/lib/sm.zip com.ibm.hod5sslight.tools.P12Keyring CustomizedCAs add cert.der


To add a certificate for secure ftp using the connect option

java -classpath .:/usr/lpp/HOD/hostondemand/lib/sm.zip com.ibm.hod5sslight.tools.P12Keyring CustomizedCAs connect IP:port ftp

where
    • IP is address of the FTP server you are connection to
    • Port is the SSL FTP port

To add a certificate for secure ftp using the add command

If the binary der file is in a different directory, provide the explicit path name of the file.

java -classpath .:/usr/lpp/HOD/hostondemand/lib/sm.zip com.ibm.hod5sslight.tools.P12Keyring CustomizedCAs add cert.der ftp




To verify and list the certificates in the CustomizedCAs.p12 file

java -classpath .:/usr/lpp/HOD/hostondemand/lib/sm.zip com.ibm.hod5sslight.tools.P12Keyring CustomizedCAs list


To convert a CustomizedCAs.class file

If your system has a CustomizedCAs.class file and it needs to be converted to a CustomizedCAs.p12 file, use the following convert command.

Enter the command from the publish directory (by default /usr/lpp/HOD/hostondemand/HOD).

java -classpath ../lib/sm.zip com.ibm.eNetwork.HOD.convert.CVT2PKCS12 CustomizedCAs.class hod

[{"Product":{"code":"SSS9FA","label":"IBM Host On-Demand"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Documentation","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"11.0;11.0.1.0;11.0.2.0;11.0.3.0;11.0.4.0;11.0.5.0;11.0.5.1;11.0.6;11.0.6.1;11.0.7;11.0.8;11.0.9;11.0.10;11.0.11;11.0.12;11.0.13;11.0.14;12.0.0;12.0.0.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Document Information

Modified date:
02 August 2018

UID

swg21461759

Page Feedback