We run TN3270 service in HIS 2004 may not start with verisign certificate,
I have updated the hotfix KB906915, but the problem is still exist.

Application log:

Event message 1
Source: TN3270 Server
Event ID: 1025
Event Time: Date Time
Description: A server certificate was found but was invalid, chain error 
0x1000040 

Event message 2
Source: TN3270 Server
Event ID: 1024
Event Time: Date Time
Description: Server authentication certificate with common name

Certificate_Name not found

Event message 3
Source: TN3270 Server
Event ID: 1022
Event Time: Date Time
Description: Port 23 rejected - no credentials available

Event message 4
Source: TN3270 Server
Event ID: 1021
Event Time: Date Time
Description: No port security records available - no ports configured

Event message 5
Source: TN3270 Server
Event ID: 102
Event Time: Date Time
Description: TN3270E Service initialization completed by initialization error.

Peter - if you look at the cert via Internet Explorer does the certificate 
chain appear correct?  Has the server had it's root certificates updated via 
windows update at all?
 
 Neil Pike.  Protech Computing Ltd
 Microsoft SNA/HIS MVP
 https://mvp.support.microsoft.com/profile=BE66F0D8-9D78-47EF-840A-08E6D8522A2D
 http://www.linkedin.com/in/neilpike

"Neil Pike" wrote:

>  Peter - if you look at the cert via Internet Explorer does the certificate 
> chain appear correct?  Has the server had it's root certificates updated via 
> windows update at all?
>  
>  Neil Pike.  Protech Computing Ltd
>  Microsoft SNA/HIS MVP
>  https://mvp.support.microsoft.com/profile=BE66F0D8-9D78-47EF-840A-08E6D8522A2D
>  http://www.linkedin.com/in/neilpike
> 
> 
>

Neil,

Thanks for your response.

I have a correct certificate chain in IE, because I work fine via HTTPS (IE).
but HIS 2004 work fail.
I have updated verisign root certificate to latest version.
Root certificate is Class 3 Public Primary Certification Authority.
Valid period is from 1996/1/29 to 2028/8/2.


"Neil Pike" wrote:

>  Peter - if you look at the cert via Internet Explorer does the certificate 
> chain appear correct?  Has the server had it's root certificates updated via 
> windows update at all?
>  
>  Neil Pike.  Protech Computing Ltd
>  Microsoft SNA/HIS MVP
>  https://mvp.support.microsoft.com/profile=BE66F0D8-9D78-47EF-840A-08E6D8522A2D
>  http://www.linkedin.com/in/neilpike
> 
> 
>

Peter - in that case it's very odd as it is a match for the KB you referenced. 
 Have you checked the version properties on tn3servr.exe to make sure the 
hotfix has definitely been applied?
 
 Only other suggestion is to apply SP1 for HIS2004 if you haven't already.
 
 One for MS PSS to assist in debugging I think.
 
 Neil Pike.  Protech Computing Ltd
 Microsoft SNA/HIS MVP
 https://mvp.support.microsoft.com/profile=BE66F0D8-9D78-47EF-840A-08E6D8522A2D
 http://www.linkedin.com/in/neilpike

Neil:

Thanks for your help.
I  upgrade the hotfix(KB 906815), the tn3servr.exe version is 2005/9/2.
and I also upgrade the SP1 , the tn3servr.exe version is 2007/8/13.
but the problem is same error log message.

"Neil Pike" wrote:

>  Peter - in that case it's very odd as it is a match for the KB you referenced. 
>  Have you checked the version properties on tn3servr.exe to make sure the 
> hotfix has definitely been applied?
>  
>  Only other suggestion is to apply SP1 for HIS2004 if you haven't already.
>  
>  One for MS PSS to assist in debugging I think.
>  
>  Neil Pike.  Protech Computing Ltd
>  Microsoft SNA/HIS MVP
>  https://mvp.support.microsoft.com/profile=BE66F0D8-9D78-47EF-840A-08E6D8522A2D
>  http://www.linkedin.com/in/neilpike
> 
> 
>

Peter,

Does the Common Name (CN) on the cert match the hostname of the server?

If not you can change what name it looks for below

--------

By default, the TN3270 server will look for a certificate with a common name 
that matches its host name, for example, the name returned by gethostname. This 
can be changed by the following registry entry (stored in 
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/TN3270/Parameters): 

SSLServerCertCN 


This entry contains a string containing the new CN for the certificate. The 
registry is checked for entries only when the TN3270 server is started. For any 
changes in the registry entries to take effect, the TN3270 server must be 
restarted.


 Neil Pike.  Protech Computing Ltd
 Microsoft SNA/HIS MVP
 https://mvp.support.microsoft.com/profile=BE66F0D8-9D78-47EF-840A-08E6D8522A2D
 http://www.linkedin.com/in/neilpike

Neil,

The Common name(CN) on cert match the hostname of the server.
I use same name both CN and server name.

"Neil Pike" wrote:

> Peter,
> 
> Does the Common Name (CN) on the cert match the hostname of the server?
> 
> If not you can change what name it looks for below
> 
> --------
> 
> By default, the TN3270 server will look for a certificate with a common name 
> that matches its host name, for example, the name returned by gethostname. This 
> can be changed by the following registry entry (stored in 
> HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/TN3270/Parameters): 
> 
> SSLServerCertCN 
> 
> 
> This entry contains a string containing the new CN for the certificate. The 
> registry is checked for entries only when the TN3270 server is started. For any 
> changes in the registry entries to take effect, the TN3270 server must be 
> restarted.
> 
> 
>  Neil Pike.  Protech Computing Ltd
>  Microsoft SNA/HIS MVP
>  https://mvp.support.microsoft.com/profile=BE66F0D8-9D78-47EF-840A-08E6D8522A2D
>  http://www.linkedin.com/in/neilpike
> 
> 
>

Peter - is the CN a fully qualified domain name?   i.e. if the server is called 
hisserver and the domain is mycompany.com, is the CN "hisserver" or 
"hisserver.mydomain.com" ?  My only other idea is to change it to whichever it 
currently isn't. 
 
> The Common name(CN) on cert match the hostname of the server.
> I use same name both CN and server name.
> 
> "Neil Pike" wrote:
> 
> > Peter,
> > 
> > Does the Common Name (CN) on the cert match the hostname of the server?
> > 
> > If not you can change what name it looks for below
> > 
> > --------
> > 
> > By default, the TN3270 server will look for a certificate with a common name 
> > that matches its host name, for example, the name returned by gethostname. This 
> > can be changed by the following registry entry (stored in 
> > HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/TN3270/Parameters): 
> > 
> > SSLServerCertCN 
> > 
> > 
> > This entry contains a string containing the new CN for the certificate. The 
> > registry is checked for entries only when the TN3270 server is started. For any 
> > changes in the registry entries to take effect, the TN3270 server must be 
> > restarted.
> > 
> > 
> >  Neil Pike.  Protech Computing Ltd
> >  Microsoft SNA/HIS MVP
> >  https://mvp.support.microsoft.com/profile=BE66F0D8-9D78-47EF-840A-08E6D8522A2D
> >  http://www.linkedin.com/in/neilpike
> > 
> > 
> > 


 Neil Pike.  Protech Computing Ltd
 Microsoft SNA/HIS MVP
 https://mvp.support.microsoft.com/profile=BE66F0D8-9D78-47EF-840A-08E6D8522A2D
 http://www.linkedin.com/in/neilpike

Peter,

We have seen this issue with invalid server certificates or when using an 
unknown certificate server that created a certificate that didn't contain 
the appropriate fields.

You could try using a Self-Signed Certificate created with the SelfSSL 
utility included in the IIS 6.0 Resource Kit to see if you can get it to 
work with that certificate.

Here are some details around how to do this:

1. Make sure you are using HIS 2004 SP1 (or have applied the hotfix 
described in KB 906915).

2. Downloaded Internet Information Services (IIS) 6.0 Resource Kit:

http://www.microsoft.com/downloads/details.aspx?FamilyID=80a1b6e6-829e-49b7-8c02-333
d9c148e69&DisplayLang=en

Default directory
C:\Program Files\IIS Resources\SelfSSL\selfssl.exe

3. Create the certificate:

SelfSSL Version 1.0 Syntax
Overview | Syntax | Complementary Tools
--------------------------------------------------------------------------------

SelfSSL uses the following syntax:

SELFSSL [/T] [/N:cn] [/K:keylength] [/V:duration-of-validity] [/S:site-id]
[/P:port] [/Q]

Parameters
/T
Adds the self-signed certificate to the "Trusted Certificates" list. The 
local
browser trusts the self-signed certificate only if this parameter has been
specified.

/N:cn
Specifies the common name of the certificate. The computer name is used if 
you do
not specify a common name.

/K:keylength
Specifies the certificate key length. The default is 1024.

/V:duration-of-validity
Specifies the duration for which the certificate is valid. The default is 7 
days.


/S:site-id
Specifies the site ID of the SSL-protected site. The default is 1 for the 
default
Web site.

/P:port
Specifies the SSL port. The default is 443.

/Q
Specifies Quiet mode. In Quiet mode, any existent settings for the site are
overwritten silently.

The following syntaxes are valid (make sure to replace the /N: values with 
your server name):

SELFSSL /T /N:<servername> /K:1024 /V:365 /Q
SELFSSL /T /N:<fully-qualified server name>/K:1024 /V:365 /Q

NOTE: The IIS Self-Signed Certificate gets created in the Computers Personal 
Store.
It will then need to be manually copied from the Computer's Personal Store 
to the
TN3270 Service Account User's Personal Store and Trusted Root Certification
Authorities store

-- 
Stephen Jackson
Microsoft® HIS Support

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only. This posting is provided "AS IS"
with no warranties, and confers no rights.


"Peter Shen"  wrote in message 
news:E3E28647-7909-4BC8-8F06-17E150839E81@microsoft.com...
> Neil,
>
> The Common name(CN) on cert match the hostname of the server.
> I use same name both CN and server name.
>
> "Neil Pike" wrote:
>
>> Peter,
>>
>> Does the Common Name (CN) on the cert match the hostname of the server?
>>
>> If not you can change what name it looks for below
>>
>> --------
>>
>> By default, the TN3270 server will look for a certificate with a common 
>> name
>> that matches its host name, for example, the name returned by 
>> gethostname. This
>> can be changed by the following registry entry (stored in
>> HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/TN3270/Parameters):
>>
>> SSLServerCertCN
>>
>>
>> This entry contains a string containing the new CN for the certificate. 
>> The
>> registry is checked for entries only when the TN3270 server is started. 
>> For any
>> changes in the registry entries to take effect, the TN3270 server must be
>> restarted.
>>
>>
>>  Neil Pike.  Protech Computing Ltd
>>  Microsoft SNA/HIS MVP
>> 
>> https://mvp.support.microsoft.com/profile=BE66F0D8-9D78-47EF-840A-08E6D8522A2D
>>  http://www.linkedin.com/in/neilpike
>>
>>
>>