SSL Cert Error with Mainframe

Hi,

 

 

The unrecognized cert error from the client indicates that your server cert doesn't properly chain to a root certificate in their client cert store.

 

 

If they have the ability to add root certs to their cert store, they could add the root CA certificate for your cert. Else, if you have an intermediate cert that chains correctly to a root cert already in their store, you could append that to your existing intermediate CA bundle configured in the client SSL profile.

 

 

Aaron

Thx for the post, Aaron. The only thing different is that I imported the original cert to the F5 from the backend IIS server.

 

 

Everything is set to default on client ssl profile except for the certificate/key fields. Is there something that I can change in the ssl client profile ?

 

 

--

 

George

 

 

Hi George,

 

 

So this mainframe client was working when the SSL decryption was done on the web servers? If that's the case, you should be able to export the SSL certificates in the chain from a working browser and append them to the intermediate CA certificate bundle on LTM and then configure that intermediate CA bundle on the client SSL profile you're using on your VIP. If you need help doing this, you could open a case with F5 Support.

 

 

Aaron

Aaron - That's correct. SSL terminations were on happening on the servers till I offloaded that to the LTM.

 

 

What intrigues me is that it works just fine with a browser(Firefox or IE), but it's just this one client that has a script on their CICS server to post a order on the website(now being front-ended on the LTM). Shouldn't the SSL transaction be the same, irrespective of the end client. Maybe I am missing something.

 

 

Thx

 

George

 

would SSLv2 have anything to do with the cert error ? I did a packet capture and I did see the client use SSLv2 as part of the initial SSL handshake.

The main difference between any two SSL clients is which root certificates they have in their certificate stores. As I suggested above, if the mainframe client was working when going direct to the web servers, it's probably an issue with the intermediate SSL certificate(s) LTM is configured to send to the client in the client SSL profile. You should be able to export the SSL certificates in the chain from a working browser or the web server, convert them to PEM format and append them to the intermediate CA certificate bundle on LTM and then configure that intermediate CA bundle on the client SSL profile you're using on your VIP. If you need help doing this, you could open a case with F5 Support.

 

 

Aaron

Hi Aaron - looks like the client did not download a cert from us, from what i gather after talking to the server folks who are supporting this environment here.

 

 

Side note, I did import the pfx file onto the LTM, converted it to a PEM format, created the SSL certificate, created the ssl client profile & it's attached to the virtual server.

 

 

I also tested it again today using my other laptop connected to the Internet & am able to hit the server(s) via the LTM.

 

 

B'coz of this issue w/ the customer, I have to disable the ssl offload functionality and have the ssl sessions terminate on the servers.

You could create a test VIP (even on the same IP, but a different port) to test the SSL cert chaining. Did you import the intermediate certificate(s) as well and include them in the client SSL profile configuration? If you change the cert file contents, you need to click save to load the change into LTM's memory.

 

 

Aaron

Not sure of the intermediate certificates, b'coz all I got from the server folks was a pfx file w/ the key.

 

 

Is there something else that I would need as part of the import process ?

 

 

Where is the option to save the change to the memory ?

I just confirmed w/ the client that they are using a JAVA script to nail the SSL connection to the LTM. Hope this helps.