 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Server Forum / Host Integration Server / June 2008TN3270 service in HIS 2004 may not start with verisign certificate
We run TN3270 service in HIS 2004 may not start with verisign certificate, I have updated the hotfix KB906915, but the problem is still exist. Application log: Event message 1 Source: TN3270 Server Event ID: 1025 Event Time: Date Time Description: A server certificate was found but was invalid, chain error 0x1000040 Event message 2 Source: TN3270 Server Event ID: 1024 Event Time: Date Time Description: Server authentication certificate with common name Certificate_Name not found Event message 3 Source: TN3270 Server Event ID: 1022 Event Time: Date Time Description: Port 23 rejected - no credentials available Event message 4 Source: TN3270 Server Event ID: 1021 Event Time: Date Time Description: No port security records available - no ports configured Event message 5 Source: TN3270 Server Event ID: 102 Event Time: Date Time Description: TN3270E Service initialization completed by initialization error. Peter - if you look at the cert via Internet Explorer does the certificate chain appear correct? Has the server had it's root certificates updated via windows update at all? Neil Pike. Protech Computing Ltd Microsoft SNA/HIS MVP https://mvp.support.microsoft.com/profile=BE66F0D8-9D78-47EF-840A-08E6D8522A2D http://www.linkedin.com/in/neilpike > Peter - if you look at the cert via Internet Explorer does the certificate > chain appear correct? Has the server had it's root certificates updated via [quoted text clipped - 4 lines] > https://mvp.support.microsoft.com/profile=BE66F0D8-9D78-47EF-840A-08E6D8522A2D > http://www.linkedin.com/in/neilpike Neil, Thanks for your response. I have a correct certificate chain in IE, because I work fine via HTTPS (IE). but HIS 2004 work fail. I have updated verisign root certificate to latest version. Root certificate is Class 3 Public Primary Certification Authority. Valid period is from 1996/1/29 to 2028/8/2. > Peter - if you look at the cert via Internet Explorer does the certificate > chain appear correct? Has the server had it's root certificates updated via [quoted text clipped - 4 lines] > https://mvp.support.microsoft.com/profile=BE66F0D8-9D78-47EF-840A-08E6D8522A2D > http://www.linkedin.com/in/neilpike Peter - in that case it's very odd as it is a match for the KB you referenced. Have you checked the version properties on tn3servr.exe to make sure the hotfix has definitely been applied? Only other suggestion is to apply SP1 for HIS2004 if you haven't already. One for MS PSS to assist in debugging I think. Neil Pike. Protech Computing Ltd Microsoft SNA/HIS MVP https://mvp.support.microsoft.com/profile=BE66F0D8-9D78-47EF-840A-08E6D8522A2D http://www.linkedin.com/in/neilpike Neil: Thanks for your help. I upgrade the hotfix(KB 906815), the tn3servr.exe version is 2005/9/2. and I also upgrade the SP1 , the tn3servr.exe version is 2007/8/13. but the problem is same error log message. > Peter - in that case it's very odd as it is a match for the KB you referenced. > Have you checked the version properties on tn3servr.exe to make sure the [quoted text clipped - 8 lines] > https://mvp.support.microsoft.com/profile=BE66F0D8-9D78-47EF-840A-08E6D8522A2D > http://www.linkedin.com/in/neilpike Peter, Does the Common Name (CN) on the cert match the hostname of the server? If not you can change what name it looks for below -------- By default, the TN3270 server will look for a certificate with a common name that matches its host name, for example, the name returned by gethostname. This can be changed by the following registry entry (stored in HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/TN3270/Parameters): SSLServerCertCN This entry contains a string containing the new CN for the certificate. The registry is checked for entries only when the TN3270 server is started. For any changes in the registry entries to take effect, the TN3270 server must be restarted. Neil Pike. Protech Computing Ltd Microsoft SNA/HIS MVP https://mvp.support.microsoft.com/profile=BE66F0D8-9D78-47EF-840A-08E6D8522A2D http://www.linkedin.com/in/neilpike Neil, The Common name(CN) on cert match the hostname of the server. I use same name both CN and server name. > Peter, > [quoted text clipped - 20 lines] > https://mvp.support.microsoft.com/profile=BE66F0D8-9D78-47EF-840A-08E6D8522A2D > http://www.linkedin.com/in/neilpike Peter - is the CN a fully qualified domain name? i.e. if the server is called hisserver and the domain is mycompany.com, is the CN "hisserver" or "hisserver.mydomain.com" ? My only other idea is to change it to whichever it currently isn't. > The Common name(CN) on cert match the hostname of the server. > I use same name both CN and server name. [quoted text clipped - 28 lines] > > > > Neil Pike. Protech Computing Ltd Microsoft SNA/HIS MVP https://mvp.support.microsoft.com/profile=BE66F0D8-9D78-47EF-840A-08E6D8522A2D http://www.linkedin.com/in/neilpike Peter, We have seen this issue with invalid server certificates or when using an unknown certificate server that created a certificate that didn't contain the appropriate fields. You could try using a Self-Signed Certificate created with the SelfSSL utility included in the IIS 6.0 Resource Kit to see if you can get it to work with that certificate. Here are some details around how to do this: 1. Make sure you are using HIS 2004 SP1 (or have applied the hotfix described in KB 906915). 2. Downloaded Internet Information Services (IIS) 6.0 Resource Kit: http://www.microsoft.com/downloads/details.aspx?FamilyID=80a1b6e6-829e-49b7-8c02-333 d9c148e69&DisplayLang=en Default directory C:\Program Files\IIS Resources\SelfSSL\selfssl.exe 3. Create the certificate: SelfSSL Version 1.0 Syntax Overview | Syntax | Complementary Tools -------------------------------------------------------------------------------- SelfSSL uses the following syntax: SELFSSL [/T] [/N:cn] [/K:keylength] [/V:duration-of-validity] [/S:site-id] [/P:port] [/Q] Parameters /T Adds the self-signed certificate to the "Trusted Certificates" list. The local browser trusts the self-signed certificate only if this parameter has been specified. /N:cn Specifies the common name of the certificate. The computer name is used if you do not specify a common name. /K:keylength Specifies the certificate key length. The default is 1024. /V:duration-of-validity Specifies the duration for which the certificate is valid. The default is 7 days. /S:site-id Specifies the site ID of the SSL-protected site. The default is 1 for the default Web site. /P:port Specifies the SSL port. The default is 443. /Q Specifies Quiet mode. In Quiet mode, any existent settings for the site are overwritten silently. The following syntaxes are valid (make sure to replace the /N: values with your server name): SELFSSL /T /N:<servername> /K:1024 /V:365 /Q SELFSSL /T /N:<fully-qualified server name>/K:1024 /V:365 /Q NOTE: The IIS Self-Signed Certificate gets created in the Computers Personal Store. It will then need to be manually copied from the Computer's Personal Store to the TN3270 Service Account User's Personal Store and Trusted Root Certification Authorities store  SignatureStephen Jackson Microsoft® HIS Support Please do not send e-mail directly to this alias. This alias is for newsgroup purposes only. This posting is provided "AS IS" with no warranties, and confers no rights. > Neil, > [quoted text clipped - 30 lines] >> https://mvp.support.microsoft.com/profile=BE66F0D8-9D78-47EF-840A-08E6D8522A2D >> http://www.linkedin.com/in/neilpike |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.