I am try to connect two CICS with SSL.
We have a working IPCONN connection, and want to add to it the SLL using client/server certificates.
What we did was create two certificates, one for each CICS. We created the rings, defined them in the CICS, and each side exported the certificate to the other and imported. We did that before in CICS version 3.2 (we had other issues than), and we are now at version 4.2 (other side is 4.1).
So each system has its private and public keys, and the public of the other side.
We defined the TCPIPService on each system
SSL = YES
Certificate = Local server certificate name
We defined the IPCONN on each system
SSL = YES
Certificate = Remote server public certificate we imported
Linkauth = Secuser
Userauth = Identify
Securityname = Username running on each side.
On the CICS 4.1 system, the install of the IPCONN is fine.
On the CICS 4.2 system, the install gives and error:
DFHAM4889E Install of IPCONN ___ failed because CERTIFICATE (remote system certificate) is invalid.
DFHAM4928E Install of IPCONN ___ failed because the specified certificate deos not have a private key.
The remote system has exported their certificate as they always do. We imported it using the racf command as we did before:
RACDCERT ID (cics user) ADD(file) TRUST
I'm trying to figure out what I am doing wrong.
As far as I know, I don't need to get the private of the remote system, and the IPCONN is supposed to use the client certificate.
This is according to the guides I was able to find online and what I could figure out from the CICS to CTG example in the cics documentation.