Client Access Express secure telnet via SSL

Discussion:

Client Access Express secure telnet via SSL - CA certificate store

(too old to reply)

Grzegorz

2011-05-04 16:17:49 UTC

Hi,
I'm on v5r3 and configured telnet access via SSL secure connection
(port 992).
I've created self signed CA as that is the only certificate needed on
client side .
But it looks like that CA must be in Client Access Express certificate
store not in Windows XP certificate store .
My problem is I'm unable to automatically import that CA certificate
into existing Client Access configuration , have to use manual import
via IBM provided tool or Client Access GUI.
So is there any way to automate this task ?
Regards
GG

iseriesflorida

2011-05-04 16:48:57 UTC

Permalink

GG, not sure if this will help you or not.

locate this executable on your system.

CWBCOSSL.EXE

Grzegorz

2011-05-05 17:58:55 UTC

Permalink

Post by iseriesflorida
GG, not sure if this will help you or not.
locate this executable on your system.
CWBCOSSL.EXE

Allright, but thats gui based and I need command line to make automation :)
Regards.
GG

btw I've thought about overwritting key store file in client access .:)

Hal

2011-05-06 02:39:09 UTC

Permalink

I've had the same problem, and as best I can tell self-signed certs,
or for that matter, certs issued by any authority OTHER than the ones
shipped in the key manager on the iSeries will never automatically
download either with operations navigator or CWBCOSSL.

I've always had to import the root, intermediate and peer keys by hand
on the workstations that run CA. I used to have a self-signed cert,
then we bought one from go-daddy, but go-daddy isn't in the list of
certificate signing authorities on the iSeries as shipped from IBM.

Given my budget I can import a lot of certificates by hand and save
the $1000 Verisign wanted to get me for....

Best,
Chris

Grzegorz

2011-05-06 16:45:02 UTC

Permalink

Post by Hal
I've always had to import the root, intermediate and peer keys by hand
on the workstations that run CA. I used to have a self-signed cert,
then we bought one from go-daddy, but go-daddy isn't in the list of
certificate signing authorities on the iSeries as shipped from IBM.
Given my budget I can import a lot of certificates by hand and save
the $1000 Verisign wanted to get me for....

Thanks, and now I'm seriously considering overwritting Client Access key
store file :).
Plan is as follows:
1. Prepare key store file with all certificate on 1 workstation
2. Copy to all other overwritting existing .
3. Profit :)
Regards
GG

p.s.
cant remember key store file name

Jon

2011-05-06 19:55:39 UTC

Permalink

Something like:

cd C:\Program Files\IBM\gsk7\lib
..\bin\gsk7capicmd.exe -cert -import -db "C:\Documents and Settings\All Users\Documents\IBM\Client Access\new.kdb" -pw ca400 -target "C:\Documents and Settings\All Users\Documents\IBM\Client Access\cwbssldf.kdb" -target_pw ca400

As I recall 5.3 didn't use gsk7, modify for the actual gsk version installed. Setting the current dir to gsk7\lib is because gsk7capicmd looks for the DLLs on which it depends in the current subdir.

This process is automated in a 7.1 SP (I think SP1).

Jon

Grzegorz

2011-05-07 05:55:20 UTC

Permalink

Post by Jon
cd C:\Program Files\IBM\gsk7\lib
...\bin\gsk7capicmd.exe -cert -import -db "C:\Documents and Settings\All Users\Documents\IBM\Client Access\new.kdb" -pw ca400 -target "C:\Documents and Settings\All Users\Documents\IBM\Client Access\cwbssldf.kdb" -target_pw ca400
As I recall 5.3 didn't use gsk7, modify for the actual gsk version installed. Setting the current dir to gsk7\lib is because gsk7capicmd looks for the DLLs on which it depends in the current subdir.
This process is automated in a 7.1 SP (I think SP1).

Wow, thats really interesting, could You please tell me where can I
get gsk7capicmd.exe .
What kind of software it is , and hot to download that without having
IBM support :).
Regards.
GG