V6R1 after cumulative PTF SSL not working

Menu Home Forums Search Field Exit - Dedicated to Real World Examples for the IBM i

Forums >> IBM Power Systems >> (QGPL) IBM i

Jump to:

polarbear101

V6R1 after cumulative PTF SSL not working

Posted: 11/20/2015, 04:21:18

Hi *all

After installing cumulative PTF on V6R1 our SSL Client (Mochasoft) is not working anymore.
We don't have a software contract, IBM gives no support, even payed !
Options in STRSST are not working (Security Bulletin CVE-2014-3566).
It is also not possible to access the DCM via port 2001.
SSL-Telnet is up and running according to netstat *cnn.

It seems that SSL V3 is disabled, but a proper error message is not available.
Also downloaded the latest "Java-Client iAccess", same result: NO SSL connection.

Thank you for any help.

Regards

bvstone

RE: V6R1 after cumulative PTF SSL not working

Posted: 11/20/2015, 07:18:00

Try getting to DCM using this link:

http://youribmiaddress:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0

Replace "youribmiaddress" with the IP address of your IBM i. Also, make sure the *ADMIN instance is running.

I've seen many systems where the IBM i tasks page just won't come up, but this link works.

As for Mochasoft, do they provide support? Perhaps it needs an update as well?

Last edited 11/20/2015 at 07:18:00

polarbear101

RE: RE: V6R1 after cumulative PTF SSL not working

Posted: 11/27/2015, 09:47:27

Hi , thank you for your answer, sorry for the delay but there was no notification.

Your trick works, the dcm is displayed but it not helps much. Can't see any certificates.

Tried much, but nothing helped yet.

Mochasoft gave support, but even the latest version not works.

I make my tests now local with the Java-client "IBM i access client solutions", so client and server is from IBM.
The client works fine with the public-server "pub1.de".

Last edited 11/27/2015 at 09:50:46

polarbear101

RE: RE: RE: V6R1 after cumulative PTF SSL not working

Posted: 11/27/2015, 11:20:04

T H A N K Y O U !!!

After some testing i gained access to to DCM with the link you provided.

Renewed the 512 bytes certificate and put it to all services.
With 1024 bytes certificates the ssl-client didn't work.

After enabling SSLV3 and SSL Renegotiation without RFC 5746 to 'ALL' all works fine as before.
For details check Security Bulletin (CVE-2014-3566). Current link (IBM links often changes) :
http://www-01.ibm.com/support/docview.wss?uid=swg21687173
http://www-01.ibm.com/support/docview.wss?uid=nas8N1020451

Things i learned:
- won't touch an IBM System i with an outdated release, even when outdated only 2 months !
- won't touch an IBM System i without hardware AND software maintanence !
If something happens, IBM gives you just NO SUPPORT. In the case above costs for a "renewal" of the contract where over $ 7k !

Have a nice weekend

Regards

Last edited 11/28/2015 at 03:22:15

� Copyright 1983-2024 BVSTools
GreenBoard(v3) Powered by the eRPG SDK, MAILTOOL Plus!, GreenTools for Google Apps, jQuery, jQuery UI, BlockUI, CKEditor and running on the IBM i (AKA AS/400, iSeries, System i).