If you are having problems setting up CWI SSL, it can be useful to test your certificates completely separately from
Enterprise Server. For example, you can check the contents of a certificate with the
openssl command:
openssl x509 -in file.pem -noout -text
You can also use
openssl s_server and
openssl s_client as simple SSL servers and clients to verify that there are no problems with your certificates.
TCPIPSERVICE startup failures
If your server certificates are valid and you are having problems starting up a TCPIPSERVICE then check in the console log
for failure messages. Possible messages and suggested corrective actions include:
- CASSI1010W Error environment variable ES_CERTIFICATES_LOCATION not set or pointing to an invalid location
- Ensure that the environment variable
ES_CERTIFICATES_LOCATION is set and pointing at a valid location.
- CASSI1011W TCPIPSERVICE <TCPIPSERVICE name> could not be started. Certificate <server certificate> could not be found
- Ensure that the server certificate filename (excluding the extension) matches the certificate label specified in the TCPIPSERVICE
and is in the directory referenced by the value of the
ES_CERTIFICATES_LOCATION environment variable. If a certificate is not specified in the TCPIPSERVICE, then the server certificate filename should
match the value of the environment variable
ES_DFLT_CERTIFICATE_NAME_SERVER.
- CASSI1012W Error no certificate specified for TCPIPSERVICE <TCPIPSERVICE name> and ES_DFLT_CERTIFICATE_NAME_SERVER not set
- Ensure that a server certificate is specified in the TCPIPSERVICE or by the environment variable
ES_DFLT_CERTIFICATE_NAME_SERVER. Do not specify the file extension for the certificate.
- CASSI1013W Error TCPIPSERVICE <TCPIPSERVICE name> could not be started. No passphrase for server certificate <server certificate>
- Ensure that
ESCERTPAS.CBL returns the passphrase for the server certificate key file when the server certificate is provided as input. ESCERTPAS.CBL
should be compiled and replace the binary distributed with the product.
- CASSI1014W No CA root file provided to validate client certificates for TCPIPSERVICE <TCPIPSERVICE name>. Server certificate
is <server certificate>
- This message doesn't imply that a TCPIPSERVICE failed to start. It simply means that client authentication cannot take place
- which may be what you intended.
- CASSI1015W TCPIPSERVICE <TCPIPSERVICE name> could not be started. Keyfile <server certificate key file> could not be found
- Ensure that the server key file has the same name as the server certificate with
_key appended, while retaining the file extension, and that it resides in the directory referenced by the value of the environment
variable
ES_CERTIFICATES_LOCATION.
If the TCPIPSERVICE fails to start and none of the above messages are received, then ensure that the port specified in the
TCPIPSERVICE is not already in use. You should also check the
log.html file in the system directory for any errors.
WEB OPEN failures
If you experience WEB OPEN failures, you should work through the following checklist:
- Ensure that the TCPIPSERVICE on the server that is the target of the WEB OPEN is open.
- Ensure that
ESCERTPAS on the client machine will return the fully-qualified CA root file that contains the certificate used to sign the server
certificate. In this case, the input certificate to
ESCERTPAS will either be the client certificate being used on this WEB OPEN or spaces if no client certificate is being provided.
- If the target TCPIPSERVICE requires client authentication, ensure that:
- Either a client certificate is specified on he WEB OPEN (explicitly or in the URIMAP if one is specified) or ES_DFLT_CERTIFICATE_NAME_CLIENT
is set to the name of your client certificate (without the file extension) on your CICS client machine.
- The value for ES_CERTIFICATES_LOCATION on your CICS client machine is set to the directory which contains your client certificate.
- The client certificate has a key file with the same name with
_key appended, and it resides in the same directory as the client certificate.
- ESCERTPAS on your CICS client machine will return the passphrase for the client certificate key file when the client certificate name
is provided as input.
- ESCERTPAS on your CICS server machine must have returned a full-qualified CA root file which contains a certificate used to sign the
client certificate being used on this WEB OPEN when the TCPIPSERVICE started up. In this case, the server certificate would
have been the input to
ESCERTPAS.
If there are still problems, check
log.html for further errors.
Browser failures
Most browser failures are caused by certificate problems.
- Ensure that the CA root certificate used to sign the server certificate has been installed in the browser.
- If the target TCPIPSERVICE requires client authentication, ensure that your client certificate has been installed in your
browser.
Diagnostics
If you are experiencing further CWI SSL issues and have exhausted the above options, there are several ways in which you can
collect diagnostics to help you understand the problem:
- The console log will show warning messages if any TCPIPSERVICE failed to open at region startup.
- The communications log -
log.html - is a good place to check if something does not seem to be working properly.
- CCI tracing can be used to collect some SSL traces. Create a
CCI.INI file and copy it to the current directory of the MFCS process. On Windows this is usually
%WINDIR%, on UNIX you can use
/proc/pid/cwd with the PID of the mfcs32 process:
[ccitcp-base]
ssl_display_options_on=yes
ssl_display_cert_connection_details=yes
ssl_display_destination=c:\tmp\cci-ssl-info.txt
You can also use
CCI.INI to enable CTF tracing for CCI, in conjunction with the usual CTF configuration file. The
CCI.INI section would look like:
[ccitrace-base]
force_trace_on=yes
data_trace=no
protocol_trace=yes
internal_net_api=yes
and the CTF configuration file would include:
mftrace.dest=binfile
mftrace.emitter.binfile#Location = path
mftrace.emitter.es#level = 99999
mftrace.level.mf.cci = info
Finally, you would set your
MFTRACE environment variable to point to the CTF configuration file.
CCI Tracing can also be used to collect some SSL traces by adding the following to the
CCI.INI file:
[ccitcp-base]
# Display the negotiated cipher
ssl_display_cipher=yes
# Display details of the peer certificate (if any)
ssl_display_cert=yes
# Display why the certificate content failed its trust test.
ssl_display_cert_fail_report=yes
# Display all details available about the offered certificate.
ssl_display_cert_connection_details=yes
# Switch on or off the SSL options above
ssl_display_options_on=yes
# Where to save the certificate information
ssl_display_destination=/home/diags/tls.txt