SSL certificate verification when IBM System SSL is configured for XCOM r12.0

Document ID : KB000004379
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

When we change the value to NO for the parameters in the VERIFY_CERTIFICATE section of the SYSconfigssl.cnf:

   [VERIFY_CERTIFICATE]

   INITIATE_SIDE = NO 

   RECEIVE_SIDE  = NO 

 

 The System SSL transfers fail with messages:

XCOMM0812I SECURE TCP/IP REMOTE CONNECTION REQUESTED FROM IP=ipaddress

XCOMM0780E Txpi  410: TxpiSystemSSLConfig Syntax error Element nb: 28 Section =<VERIFY_CERTIFICATE> Parameter = <INITIATE_SIDE>

 

Environment:
XCOM r12.0 with IBM’s System SSL configured.
Resolution:

VERIFY_CERTIFICATE has three possible valid settings:

YES

RFC2459

RFC3280

"YES" uses default validation as configured in your System SSL region. "RFC2459" uses the validation protocol as defined in the RFC2459 standard as published by the IEFT organization. "RFC3280" uses the validation protocol as defined in the RFC3280 standard as published by the IEFT.

The value of "NO" has been SPECIFICALLY EXCLUDED in the validation code. This means that certificate validation cannot be disabled for XCOM's implementation of System SSL.

 

Additional Information:

 

The comments for the VERIFY_CERTIFICATE section provided in the SYSconfigssl.cnf file is incorrect. The comment currently states:

 

# OPTIONAL, the following specifies if CA XCOM needs to verify the certificate (YES/NO).

 

The comment will be corrected in a future release.