[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re: https problems

To: ftpapi@xxxxxxxxxxxxx
Subject: Re: Re: https problems
From: michael@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Date: Wed, 13 Jul 2005 13:39:09 +0200 (CEST)
Reply-to: ftpapi@xxxxxxxxxxxxx
Sender: owner-ftpapi@xxxxxxxxxxxxx

Hello

Advancing slowly:

[SSL_ERROR_NOT_TRUSTED_ROOT]
The certificate is not signed by a trusted certificate authority.

Is that error caused by the server or the client?

I now have the necessary authority on the 400 to do stuff to the DCM, but we have no certificates. The notes in the original README and the beta release assume the existence of a certificate. The V5R1 Unix type API manual is no help.

Do I need to get a certificate from somewhere?

I am most appreciative of any help. I suspect this nightmare might be repeated when we move my applications to our live box. But by then I might have some clue.........

Michael

> Message date : Jul 12 2005, 05:40 PM
> From : "Scott Klement"
> To : "ftpapi"
> Copy to :
> Subject : Re: https problems
> Sender: Scott Klement
>
>
> > gsk_secure_soc_init returns error: [GSK_KEYRING_OPEN_ERROR] Certificate
> > store file could not be opened.
>
> Have you created the certificate store? Which certificate store are you
> trying to use? If you don't have one specified in the DCM for your
> application, it'll use *SYSTEM by default.
>
> > according to iSeries Information Centre: Authorities Authorization of *R
> > (allow access to the object) to the certificate store file and its
> > associated files is required. Authorization of *X (allow use of the
> > object) to each directory of the path name of the certificate store file
> > and its associated files is required.
>
> That makes sense. Have you granted those authorities?
>
> > Registering goes OK, whether using a named app or not. According to
> > operations navigator, Users and Groups, as a member of group DEVELOPER
> > my usrprf has all object system privilege to the DCM certificate store.
>
> I've never used ops nav for this, but that sounds promising.
>
>
> > What authority do I need to the DCM?
>
> Anyone should be able to access the DCM, but according to the following
> page, you need *ALLOBJ and *SECADM to have all of the DCM options:
> http://publib.boulder.ibm.com/infocenter/iseries/v5r3/ic2924/info/rzahu/rzahurzahu401usingdcm.htm
>
> > Is it IOSYSCNFIG?
>
> I believe *IOSYSCFG is for setting up hardware. I don't think it has
> anything to do with the Digital Certificate Manager.
>
>
> > Where is the certificate store?
>
> Depends on the certificate store. When you create your own, you can put it
> anywhere you want. When you use the default one (aka *SYSTEM) it's put in
> the following directory:
>
> /QIBM/USERDATA/ICSS/CERT/SERVER/
>
> On that directory are two files. One is called "DEFAULT.KDB" and the other
> is called "DEFAULT.RDB"
>
> -----------------------------------------------------------------------
> This is the FTPAPI mailing list. To unsubsribe from the list send mail
> to majordomo@xxxxxxxxxxxxx with the body: unsubscribe ftpapi mymailaddr
> -----------------------------------------------------------------------
>
>

Whatever you Wanadoo

This email has been checked for most known viruses - find out more here

Follow-Ups:
- Re: Re: https problems
  - From: Jay Peasley
- Re: Re: https problems
  - From: Scott Klement

Prev by Date: Re: Re: https problems
Next by Date: Re: Re: https problems
Previous by thread: Re: Re: https problems
Next by thread: Re: Re: https problems
Index(es):
- Date
- Thread