Troubleshooting
Problem
When testing IBM Rational Developer for z (RDz) 9.0 SSL client authentication connections with a locally installed PKCS12 file generated from a RACF certificate, the connection fails with a prompt, "Set up your Certificate."
Symptom
After attempting to enable RDz client authentication using a PKCS12 generated from a RACF certificate, the connection fails with the "Set up your Certificate" message.
image:
Cause
SSL client authentication configuration with a locally installed PKCS12 generated from a RACF certificate and used successfully with CICS Explorer is not covered in the instructions listed in the RDz Host Configuration Guide and the RDz Host Configuration Reference.
Diagnosing The Problem
The client .log will show the following errors when trying to connect, if incorrectly configured with the wrong client certificate information.
!ENTRY org.eclipse.rse.ui 1 0 2014-03-28 12:16:18.998
!MESSAGE in SubSystemConfiguration.getSubSytems(conn, force) - returning empty array
Resolving The Problem
In order to connect with RDz using client authentication and a local PKCS12, ensure the following steps are applied:
- SSL must to be configured successfully with the RDz RSE server first before configuring client SSL.
Refer to the RDz Host Configuration Guide and RDz Host Configuration Reference Guide
for additional details on setting up SSL and other methods of client authentication.
- Set in the client connection properties the RSE connection settings with Authentication Method of "certificate" for the RSE launcher properties.
- In RDz Remote Systems View, right click on the MVS host connection and select Properties.
- Select Connector Services/Launcher Properties.
- Edit the client eclipse.ini to add three parameters to the end of the file to ensure that the Eclipse workbench will look for its own JCE provider.
Note: The KeyStoreLocation should be the directory that the PKCS12 file is saved to locally on the PC that is running the RDz client workbench.
- Edit the Client Certificates preferences under Window/Preferences/Client Certificates in the RDz client workbench.
- Set the JCE provider to IBMJCE if the certificate is a PKCS12.
- Set the certificate type to PKCS12.
- -DrdzKeyStoreLocation=c:\temp\xxx.p12
-DrdzKeyStorePassword=xxxxx
-DrdzKeyStoreType=PKCS12
- In the same above window, the hostIdMappings Object Identifier (OID) of 1.3.18.0.2.18.1 can remain or be cleared so there is no value. If the value is not cleared, the certificate must have this OID included.
Note: RDz only uses the first hostIdMapping in the set of hostIdMappings. Multiple entries can be defined if accessing multiple hosts or multiple applications. If the first hostIdMapping is not the one that is authorized to the RSE server user id, the session fails with error message "checkCertificate:Invalid Certificate Exception: SERVAUTH Definition Error" even though the second hostIdMapping might map to a valid SERVAUTH definition for the RSE server user id.
- Restart the RDz workbench to pick up the changes to the eclipse.ini above.
Reconnect to your host connection in Remote Systems view.
If using a well-known CA, there is no prompt for the trust and the connection succeeds.
Was this topic helpful?
Document Information
Modified date:
27 October 2020
UID
swg21675418