IBM Support

Rational Developer for z 9.0 SSL client authentication connection with a local PKCS12 fails

Troubleshooting


Problem

When testing IBM Rational Developer for z (RDz) 9.0 SSL client authentication connections with a locally installed PKCS12 file generated from a RACF certificate, the connection fails with a prompt, "Set up your Certificate."

Symptom

After attempting to enable RDz client authentication using a PKCS12 generated from a RACF certificate, the connection fails with the "Set up your Certificate" message.


image:

Cause

SSL client authentication configuration with a locally installed PKCS12 generated from a RACF certificate and used successfully with CICS Explorer is not covered in the instructions listed in the RDz Host Configuration Guide and the RDz Host Configuration Reference.

Diagnosing The Problem

The client .log will show the following errors when trying to connect, if incorrectly configured with the wrong client certificate information.

!ENTRY org.eclipse.rse.ui 1 0 2014-03-28 12:16:18.998
!MESSAGE in SubSystemConfiguration.getSubSytems(conn, force) - returning empty array

Resolving The Problem

In order to connect with RDz using client authentication and a local PKCS12, ensure the following steps are applied:

  • SSL must to be configured successfully with the RDz RSE server first before configuring client SSL.

    Refer to the RDz Host Configuration Guide and RDz Host Configuration Reference Guide
    for additional details on setting up SSL and other methods of client authentication.

  • Set in the client connection properties the RSE connection settings with Authentication Method of "certificate" for the RSE launcher properties.
    1. In RDz Remote Systems View, right click on the MVS host connection and select Properties.

    2. Select Connector Services/Launcher Properties.


  • Edit the client eclipse.ini to add three parameters to the end of the file to ensure that the Eclipse workbench will look for its own JCE provider.

    Note: The KeyStoreLocation should be the directory that the PKCS12 file is saved to locally on the PC that is running the RDz client workbench.
      -DrdzKeyStoreLocation=c:\temp\xxx.p12

      -DrdzKeyStorePassword=xxxxx

      -DrdzKeyStoreType=PKCS12

    Save the eclipse.ini.

  • Edit the Client Certificates preferences under Window/Preferences/Client Certificates in the RDz client workbench.
    1. Set the JCE provider to IBMJCE if the certificate is a PKCS12.

    2. Set the certificate type to PKCS12.


  • In the same above window, the hostIdMappings Object Identifier (OID) of 1.3.18.0.2.18.1 can remain or be cleared so there is no value. If the value is not cleared, the certificate must have this OID included.

    Note: RDz only uses the first hostIdMapping in the set of hostIdMappings. Multiple entries can be defined if accessing multiple hosts or multiple applications. If the first hostIdMapping is not the one that is authorized to the RSE server user id, the session fails with error message "checkCertificate:Invalid Certificate Exception: SERVAUTH Definition Error" even though the second hostIdMapping might map to a valid SERVAUTH definition for the RSE server user id.

  • Restart the RDz workbench to pick up the changes to the eclipse.ini above.

    Reconnect to your host connection in Remote Systems view.
When successfully configured, the untrusted server certificate(s) should be presented if it is signed by its own CA or a self-signed certificate is used.

If using a well-known CA, there is no prompt for the trust and the connection succeeds.

[{"Product":{"code":"SSJK49","label":"IBM Developer for z Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Setup \/ Configure","Platform":[{"code":"PF033","label":"Windows"}],"Version":"9.0;9.0.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Document Information

Modified date:
27 October 2020

UID

swg21675418