----- Original Message -----
Sent: Wednesday, July 13, 2005 7:39
AM
Subject: Re: Re: https problems
Hello
Advancing slowly:
[SSL_ERROR_NOT_TRUSTED_ROOT]
The certificate is not signed by a trusted
certificate authority.
Is that error caused by the server or the client?
I now have the necessary authority on the 400 to do stuff to the DCM, but
we have no certificates. The notes in the original README and the beta release
assume the existence of a certificate. The V5R1 Unix type API manual is no
help.
Do I need to get a certificate from somewhere?
I am most appreciative of any help. I suspect this nightmare might be
repeated when we move my applications to our live box. But by then I might
have some clue.........
Michael
>
Message date : Jul 12 2005, 05:40 PM
> From : "Scott Klement"
> To : "ftpapi"
>
Copy to :
> Subject : Re: https problems
> Sender: Scott
Klement
>
>
> >
gsk_secure_soc_init returns error: [GSK_KEYRING_OPEN_ERROR] Certificate
> > store file could not be opened.
>
> Have you
created the certificate store? Which certificate store are you
>
trying to use? If you don't have one specified in the DCM for your
>
application, it'll use *SYSTEM by default.
>
> > according
to iSeries Information Centre: Authorities Authorization of *R
> >
(allow access to the object) to the certificate store file and its
>
> associated files is required. Authorization of *X (allow use of the
> > object) to each directory of the path name of the certificate
store file
> > and its associated files is required.
>
> That makes sense. Have you granted those authorities?
>
> > Registering goes OK, whether using a named app or not.
According to
> > operations navigator, Users and Groups, as a
member of group DEVELOPER
> > my usrprf has all object system
privilege to the DCM certificate store.
>
> I've never used ops
nav for this, but that sounds promising.
>
>
> > What
authority do I need to the DCM?
>
> Anyone should be able to
access the DCM, but according to the following
> page, you need
*ALLOBJ and *SECADM to have all of the DCM options:
>
http://publib.boulder.ibm.com/infocenter/iseries/v5r3/ic2924/info/rzahu/rzahurzahu401usingdcm.htm
>
> > Is it IOSYSCNFIG?
>
> I believe *IOSYSCFG is for
setting up hardware. I don't think it has
> anything to do with the
Digital Certificate Manager.
>
>
> > Where is the
certificate store?
>
> Depends on the certificate store. When
you create your own, you can put it
> anywhere you want. When you use
the default one (aka *SYSTEM) it's put in
> the following
directory:
>
> /QIBM/USERDATA/ICSS/CERT/SERVER/
>
> On that directory are two files. One is called "DEFAULT.KDB" and
the other
> is called "DEFAULT.RDB"
>
>
-----------------------------------------------------------------------
>
This is the FTPAPI mailing list. To unsubsribe from the list send
mail
> to majordomo@xxxxxxxxxxxxx with the body: unsubscribe ftpapi
mymailaddr
>
-----------------------------------------------------------------------
>
>
Whatever you Wanadoo
This email has been checked for most known
viruses - find out more here