Top Secret

I am looking for help and/or anyone who has successfully set up certificates between TS and a Linux box.  We have been at this for a while and have come to standstill.  The issues:  1)  We can't get the PGP certificate from Linux to successfully load to our MF.  2)  The Linux box will not load the certificate I exported from the MF.   

Darren -

Other people will give you much more knowledgeable replies, Darren; certificates are a continual reproach to my self-confident belief that I can figure out anything given time and effort.  But just to mention something obvious-probably too obvious for you to have missed-have you confirmed that you've correctly saved the certificate in text format ~and~ remembered to translate between EBCDIC and ASCII?  You haven't said yet exactly what problems you're running into, so I'm just guessing.
Original Message:
Sent: 04-06-2020 02:46 PM
From: Darren Jenkins
Subject: TLS communication between Top Secret & Linux using certificates.

I am looking for help and/or anyone who has successfully set up certificates between TS and a Linux box.  We have been at this for a while and have come to standstill.  The issues:  1)  We can't get the PGP certificate from Linux to successfully load to our MF.  2)  The Linux box will not load the certificate I exported from the MF.

Darren -

Robert,  

As for the certificate I created/sent out to the Linux(SAP) server, yes it was sent with a txt format/extension.  
They are not able to provide any errors or failure points.  The screen scrape they provided only states:
                       
                       No secret key added.
                       No public key added.


As for the certificate I received from the Linux server, it arrived with an .asc extension.   It was a PGP key, that when pulled up in Notepad, looked loosely like the one I sent out.   The differences being it had a version line, a comment line, and a blank line within the cert itself??

I appreciate the timely comments !!

Darren  

Original Message:
Sent: 04-06-2020 04:57 PM
From: Robert Bridges
Subject: TLS communication between Top Secret & Linux using certificates.

Other people will give you much more knowledgeable replies, Darren; certificates are a continual reproach to my self-confident belief that I can figure out anything given time and effort.  But just to mention something obvious-probably too obvious for you to have missed-have you confirmed that you've correctly saved the certificate in text format ~and~ remembered to translate between EBCDIC and ASCII?  You haven't said yet exactly what problems you're running into, so I'm just guessing.
Original Message:
Sent: 04-06-2020 02:46 PM
From: Darren Jenkins
Subject: TLS communication between Top Secret & Linux using certificates.

I am looking for help and/or anyone who has successfully set up certificates between TS and a Linux box.  We have been at this for a while and have come to standstill.  The issues:  1)  We can't get the PGP certificate from Linux to successfully load to our MF.  2)  The Linux box will not load the certificate I exported from the MF.

Darren -

Darren,

TSS supports X509 type certs. PGP is not X509.

Is it really PGP. Just because the file suffix is PGP doesnt necessarily mean its PGP.

Have you tried to FTP the certificate to a dataset, then issue the TSS CHKCERT against it?

TSS CHKCERT DCDSN(datasetname)

If the certificate is supported, attributes about the certificate will be displayed. If you get 'invalid data', then the certificate is not supported.

When you FTP the certificate to a dataset, upload it as a binary file ***AND*** ASCII file.

Issue the TSS CHKCERT command against both datasets.

Certain format certificates require a binary or ASCII format. Since we dont know what type of certificate we are dealing with, FTP the certificate in binary and ASCII.

The following knowledge documents FTPing certificates:

https://knowledge.broadcom.com/external/article?articleId=53951

When you exported the certificate from Top Secret, I am assuming you used the TSS EXPORT command. What what did you specify for the FORMAT keyword on the TSS EXPORT command? If you need to EXPORT the entire certificate, you need to use one of the PKCS12 formats on the FORMAT keyword. If you didnt, you only export the public key from Top Secret.

Regards,

Joseph Porto - Broadcom Level 1 Support
​
Original Message:
Sent: 04-07-2020 03:33 PM
From: Darren Jenkins
Subject: TLS communication between Top Secret & Linux using certificates.

Robert,

As for the certificate I created/sent out to the Linux(SAP) server, yes it was sent with a txt format/extension.
They are not able to provide any errors or failure points.  The screen scrape they provided only states:

                       No secret key added.
                       No public key added.


As for the certificate I received from the Linux server, it arrived with an .asc extension.   It was a PGP key, that when pulled up in Notepad, looked loosely like the one I sent out.   The differences being it had a version line, a comment line, and a blank line within the cert itself??

I appreciate the timely comments !!

Darren

Original Message:
Sent: 04-06-2020 04:57 PM
From: Robert Bridges
Subject: TLS communication between Top Secret & Linux using certificates.

Other people will give you much more knowledgeable replies, Darren; certificates are a continual reproach to my self-confident belief that I can figure out anything given time and effort.  But just to mention something obvious-probably too obvious for you to have missed-have you confirmed that you've correctly saved the certificate in text format ~and~ remembered to translate between EBCDIC and ASCII?  You haven't said yet exactly what problems you're running into, so I'm just guessing.
Original Message:
Sent: 04-06-2020 02:46 PM
From: Darren Jenkins
Subject: TLS communication between Top Secret & Linux using certificates.

I am looking for help and/or anyone who has successfully set up certificates between TS and a Linux box.  We have been at this for a while and have come to standstill.  The issues:  1)  We can't get the PGP certificate from Linux to successfully load to our MF.  2)  The Linux box will not load the certificate I exported from the MF.

Darren -

Joe, 
As for the inbound certificate (from our SAP provider) 
    -  Yes, it was ftp'd to a dataset and chkcert was ran against it (failed every time) - With it's Version,comment, and blank lines, I did attempt            modifying it to what i believed to be a corrected format (ran chkcert against each effort, to no avail).
   -  No, a binary version of the inbound cert was never attempted.  

As for my outbound cert:
    -  It was generated without any FORMAT keyword.  My SAP contact can not provide any error message or point of failure.  Sounds like re-           exporting another file with the appropriate FORMAT values might be worth a try.  

Thank you so much for the input - it is much appreciated !!

Darren
Original Message:
Sent: 04-08-2020 03:56 PM
From: JOSEPH PORTO
Subject: TLS communication between Top Secret & Linux using certificates.

Darren,

TSS supports X509 type certs. PGP is not X509.

Is it really PGP. Just because the file suffix is PGP doesnt necessarily mean its PGP.

Have you tried to FTP the certificate to a dataset, then issue the TSS CHKCERT against it?

TSS CHKCERT DCDSN(datasetname)

If the certificate is supported, attributes about the certificate will be displayed. If you get 'invalid data', then the certificate is not supported.

When you FTP the certificate to a dataset, upload it as a binary file ***AND*** ASCII file.

Issue the TSS CHKCERT command against both datasets.

Certain format certificates require a binary or ASCII format. Since we dont know what type of certificate we are dealing with, FTP the certificate in binary and ASCII.

The following knowledge documents FTPing certificates:

https://knowledge.broadcom.com/external/article?articleId=53951

When you exported the certificate from Top Secret, I am assuming you used the TSS EXPORT command. What what did you specify for the FORMAT keyword on the TSS EXPORT command? If you need to EXPORT the entire certificate, you need to use one of the PKCS12 formats on the FORMAT keyword. If you didnt, you only export the public key from Top Secret.

Regards,

Joseph Porto - Broadcom Level 1 Support
​
Original Message:
Sent: 04-07-2020 03:33 PM
From: Darren Jenkins
Subject: TLS communication between Top Secret & Linux using certificates.

Robert,

As for the certificate I created/sent out to the Linux(SAP) server, yes it was sent with a txt format/extension.
They are not able to provide any errors or failure points.  The screen scrape they provided only states:

                       No secret key added.
                       No public key added.


As for the certificate I received from the Linux server, it arrived with an .asc extension.   It was a PGP key, that when pulled up in Notepad, looked loosely like the one I sent out.   The differences being it had a version line, a comment line, and a blank line within the cert itself??

I appreciate the timely comments !!

Darren

Original Message:
Sent: 04-06-2020 04:57 PM
From: Robert Bridges
Subject: TLS communication between Top Secret & Linux using certificates.

Other people will give you much more knowledgeable replies, Darren; certificates are a continual reproach to my self-confident belief that I can figure out anything given time and effort.  But just to mention something obvious-probably too obvious for you to have missed-have you confirmed that you've correctly saved the certificate in text format ~and~ remembered to translate between EBCDIC and ASCII?  You haven't said yet exactly what problems you're running into, so I'm just guessing.
Original Message:
Sent: 04-06-2020 02:46 PM
From: Darren Jenkins
Subject: TLS communication between Top Secret & Linux using certificates.

I am looking for help and/or anyone who has successfully set up certificates between TS and a Linux box.  We have been at this for a while and have come to standstill.  The issues:  1)  We can't get the PGP certificate from Linux to successfully load to our MF.  2)  The Linux box will not load the certificate I exported from the MF.

Darren -

Good day Darren :-)

Your Export is only sending them a public key so the Export did not need a format.  If this is a two way communication meaning that sometimes your the "server" and other times you are the "client" then yes the private key would need to be exported and then the FORMAT(PKCS12DER) is needed on the EXPORT command.   I know that the certificate looks good on the mainframe side and the PGP certificate looks great as far as PGP certificates go.  I think we need to reach out and ask Tracy if she can obtain a different certificate.  If PGP is their external CA then we may have a problem but let's reach out.  

Stay safe and enjoy the day!!
~Eileen~

------------------------------
Senior Support Engineer
Broadcom
------------------------------

Original Message:
Sent: 04-08-2020 05:21 PM
From: Darren Jenkins
Subject: TLS communication between Top Secret & Linux using certificates.

Joe,
As for the inbound certificate (from our SAP provider)
    -  Yes, it was ftp'd to a dataset and chkcert was ran against it (failed every time) - With it's Version,comment, and blank lines, I did attempt            modifying it to what i believed to be a corrected format (ran chkcert against each effort, to no avail).
   -  No, a binary version of the inbound cert was never attempted.

As for my outbound cert:
    -  It was generated without any FORMAT keyword.  My SAP contact can not provide any error message or point of failure.  Sounds like re-           exporting another file with the appropriate FORMAT values might be worth a try.

Thank you so much for the input - it is much appreciated !!

Darren
Original Message:
Sent: 04-08-2020 03:56 PM
From: JOSEPH PORTO
Subject: TLS communication between Top Secret & Linux using certificates.

Darren,

TSS supports X509 type certs. PGP is not X509.

Is it really PGP. Just because the file suffix is PGP doesnt necessarily mean its PGP.

Have you tried to FTP the certificate to a dataset, then issue the TSS CHKCERT against it?

TSS CHKCERT DCDSN(datasetname)

If the certificate is supported, attributes about the certificate will be displayed. If you get 'invalid data', then the certificate is not supported.

When you FTP the certificate to a dataset, upload it as a binary file ***AND*** ASCII file.

Issue the TSS CHKCERT command against both datasets.

Certain format certificates require a binary or ASCII format. Since we dont know what type of certificate we are dealing with, FTP the certificate in binary and ASCII.

The following knowledge documents FTPing certificates:

https://knowledge.broadcom.com/external/article?articleId=53951

When you exported the certificate from Top Secret, I am assuming you used the TSS EXPORT command. What what did you specify for the FORMAT keyword on the TSS EXPORT command? If you need to EXPORT the entire certificate, you need to use one of the PKCS12 formats on the FORMAT keyword. If you didnt, you only export the public key from Top Secret.

Regards,

Joseph Porto - Broadcom Level 1 Support
​
Original Message:
Sent: 04-07-2020 03:33 PM
From: Darren Jenkins
Subject: TLS communication between Top Secret & Linux using certificates.

Robert,

As for the certificate I created/sent out to the Linux(SAP) server, yes it was sent with a txt format/extension.
They are not able to provide any errors or failure points.  The screen scrape they provided only states:

                       No secret key added.
                       No public key added.


As for the certificate I received from the Linux server, it arrived with an .asc extension.   It was a PGP key, that when pulled up in Notepad, looked loosely like the one I sent out.   The differences being it had a version line, a comment line, and a blank line within the cert itself??

I appreciate the timely comments !!

Darren

Original Message:
Sent: 04-06-2020 04:57 PM
From: Robert Bridges
Subject: TLS communication between Top Secret & Linux using certificates.

Other people will give you much more knowledgeable replies, Darren; certificates are a continual reproach to my self-confident belief that I can figure out anything given time and effort.  But just to mention something obvious-probably too obvious for you to have missed-have you confirmed that you've correctly saved the certificate in text format ~and~ remembered to translate between EBCDIC and ASCII?  You haven't said yet exactly what problems you're running into, so I'm just guessing.
Original Message:
Sent: 04-06-2020 02:46 PM
From: Darren Jenkins
Subject: TLS communication between Top Secret & Linux using certificates.

I am looking for help and/or anyone who has successfully set up certificates between TS and a Linux box.  We have been at this for a while and have come to standstill.  The issues:  1)  We can't get the PGP certificate from Linux to successfully load to our MF.  2)  The Linux box will not load the certificate I exported from the MF.

Darren -