4 Replies Latest reply on Apr 20, 2020 8:00 AM by Gilles Robert

    how to custumize mainview explorer to use TLS

    Thabiso Makuweng
      Share This:

      HI

       

      am trying to configure Mainview explorer to use TLS but i keep getting the following error.

       

      TLS=Y is specified, parm is missing: SSLCERT_LOCATION=            

      MVE TCP/IP server failed with reason=Required SSL parameter missing

      MVE TCP/IP(BQY2176) server is ended with error                    

      MvExplorer host server failed-TCPIP control task failed with error

      Explorer Host Server shutdown in progress                         

      CAS(BBCX) connection is terminated                                

      MvExplorer host server shutdown complete - cc=0016                

       

       

      but i have specified the SSLCERT_LOCATION=

       

      HOSTCN=https://BBXPLSYSX:3940    

      SSLCERT_LOCATION=DSN             

      SSLCERT_NAME=****.BBEXP.CERT.Y2022

      SSLKEY_LOCATION=R_DATALIB        

      SSLKEY_NAME=****.BBEXP.CERT.Y2022

        • 1. Re: how to custumize mainview explorer to use TLS
          Gilles Robert

          Hello Thabiso,

           

          I would recommend you generate a certificate according to your site convention and create a keyring in RACF  (or equivalent).

          Using a dataset to hold the key is good for testing purposes and require others steps.

           

          In your BBMVExx you can have something like:

           

          TCPNAME=TCPIP            Name of the  TCP Address Space

          TLS_VERSION_V12=REQUIRED  TLS version

          HOSTCN=sysa.bmc.com      Same as SUBJECTSDN(CN(.....) in the certificate

          SSLCERT_LOCATION=R_DATALIB

          SSLCERT_NAME=MV#STC/SYSA

           

          where MV#STC is the userid owing the keyring and the owner associate with the MV Explorer STC. And SYSA is the keyring the certificates chain is added to.

           

          The certificate can be generated using something along this; where you should change CN and URI to match the hostname of your mainframe and other fields according to your standard.

          In particular the signing authority (SIGNWITH), the example here assume you can signed certificate using your own organisation CA.

           

          RACDCERT GENCERT +

                   ID(MV#STC)                                   +

                   SUBJECTSDN( CN( 'sysa.bmc.com' )             +

                               OU( 'Software Consulting' )      +

                               O( 'BMC Software Inc.' )         +

                               T( 'MainView Explorer' )         +

                               L( 'Houston' )                   +

                               S( 'Texas' )                     +

                               C( 'US' ) )                      +

                   ALTNAME(                                     +

                            DOMAIN( 'sysa.bmc.com' )            +

                            EMAIL('gilles_robert@bmc.com')      +

                            URI('https://sysa.bmc.com:3940')    +

                          )                                     +

                   SIZE(2048)                                   +

                   NOTBEFORE(DATE(2019-07-01) TIME(00:00:00))   +

                   NOTAFTER (DATE(2029-06-30) TIME(23:59:59))   +

                   WITHLABEL('MVExp.SYSA.Cert')                 +

                   SIGNWITH(CERTAUTH                            +

                      LABEL('SYSA Local Certificate Authority') +

                           )                                    +

                   KEYUSAGE( HANDSHAKE DATAENCRYPT )

           

          then add a keyring accordingly

           

          RACDCERT ADDRING(SYSA)    ID(MV#STC)

          RACDCERT CONNECT(CERTAUTH                            +
                    LABEL('SYSA Local Certificate Authority')   +
                    RING(SYSA) )                         +
                    ID(MV#STC)

          RACDCERT CONNECT(ID(MV#STC)                         +
                    LABEL('MVExp.SYSA.Cert')                   +
                    DEFAULT                                    +
                    RING(BMCA) USAGE(PERSONAL) )        +
                    ID(MV#STC)

           

          Regards, Gilles

          2 of 2 people found this helpful
          • 2. Re: how to custumize mainview explorer to use TLS
            Thabiso Makuweng

            Hi Robert

             

            Thank you for your response and the above advise was helpful and we managed to get the STC up but could not connect using web browser.

             

            the following is the error we get when trying to connect to a browser.

             

            BBWIC070E Reason: Received TLS Alert:2/Fatal Value:46/Certificate Unknown (rc

            BBWIC070E TcpChannel Receive error code:-1                                  

            BBWIC070E Reason: Received TLS Alert:2/Fatal Value:46/Certificate Unknown (rc

            BBWIC070E TcpChannel Receive error code:-1                                  

            BBWIC070E Reason: Received TLS Alert:2/Fatal Value:46/Certificate Unknown (rc

            BBWIC070E TcpChannel Receive error code:-1                                  

            BBWIC070E Reason: Received TLS Alert:2/Fatal Value:46/Certificate Unknown (rc

            BBWIC070E TcpChannel Receive error code:-1                                  

            BBWIC070E Reason: Received TLS Alert:2/Fatal Value:46/Certificate Unknown (rc

            BBWIC070E TcpChannel Receive error code:-1                                  

            BBWIC070E Reason: Received TLS Alert:2/Fatal Value:46/Certificate Unknown (rc

            BBWIC070E TcpChannel Receive error code:-1                                  

            BBWIC070E Reason: Received TLS Alert:2/Fatal Value:46/Certificate Unknown (rc

            BBWIC070E TcpChannel Receive error code:-1                                  

            BBWIC070E Reason: Received TLS Alert:2/Fatal Value:46/Certificate Unknown (rc

             

            Thank you

            • 3. Re: how to custumize mainview explorer to use TLS
              Oliver Lemke

              Hi Thabiso,

               

              there is a chance that the error is caused by the workstation on which you are trying to run the MV Explorer. Let me suggest the following:

               

              1.) Clear the browser cache and close all instances of the browser

              2.) Clear the Java cache (*)

              3.) Open the browser and point it to the MVE launch page

              4.) Launch MVE

               

              (*) Either use the Java contol panel to empty the java cache -or- run:

              javaws -Xclearcache

              from a command prompt. Please note that this is a capital (upper case) X and that rest is all in lower case.

               

              Should you be prompted to trust a certificate and it is your certificate, then please trust it.

               

              This purpose of this procedure is to fully refresh the MV Explorer application in the java cache and there is hope that this will resolve the issue.

               

              If it does not help, please do not hesitate to raise a Support Case with BMC Customer Support. Thanks!

               

              Best regards,

              Oliver

              • 4. Re: how to custumize mainview explorer to use TLS
                Gilles Robert

                Hello Thabisco,

                 

                Make sure both the Gateway has

                 

                IEFC653I SUBSTITUTION JCL - PGM=BBW9IA00,PARM=('SSID=BBCS,PORT=3940','USERDS=%UPFX.%USERID.%BBDEF','TLS=Y,

                BBMMVE=CA'),REGION=0M,ACCT=6410,TIME=NOLIMIT

                 

                and (the latest method of using Explorer with the mve image) you pass this parameter:

                 

                C:\Data\MVExplorer\mveimage\bin\javaw.exe -Xmx1024m -Dsun.java2d.uiScale=1 -m com.bmc.mve bmca 3940 expref=s

                 

                This insure both end initialize with TLS active.

                 

                Hope this help, if not I suggest you contact BMC's support or your local BMC's software consultant.

                 

                Regards, Gilles

                1 of 1 people found this helpful