SSL Certificate Failures

[Gary L Peskin <garyp@xxxxxxxxxxxx>]

I have a Java client application trying to open a secure socket to an
SSL 2.0 web server.  I'm unable to get a successful handshake with the
server even though I can connect fine from my browser.

In java, the relevant part of the stack trace looks like this:

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
    java/lang/Throwable.<init>(Ljava/lang/String;)V+4 Throwable.java:90)
com/ibm/as400/ibmonly/net/ssl/SSLSessionImpl.getPeerCertificateChain()[Ljavax/security/cert/X509Certificate;+47
(SSLSessionImpl.java:247)
    <my application follows>

I have DCM installed as well as AC3 and I have created the *SYSTEM
certificate store.  I haven't set up any kind of client application
under the DCM "Manage Applications" section but I can't see why that
should be necessary.  Is it?  I just want my client to trust all CAs
that are enabled.

All of the supplied CA certificates are marked enabled and one of them
is the parent of the certificate that signed the server's certificate.

I did a TRCCNN and got the following messages:

1.  From AS/400 client to server:  CLIENT-HELLO.  This looks fine.
2.  From server to AS/400:  SERVER-HELLO.  This also looks fine.  It is
an SSL 2.0 SERVER-HELLO.
3.  From AS/400 client to server:  The following message is sent (in
hex):
       
      8003 000004

I looked this up and it indicates an SSL_PE_BAD_CERTIFICATE error as
defined by the SSL 2.0 protocol.

Can I find out why the AS/400 thinks the certificate is bad?  There is
some mention in the information center of a flight recorder for SSL but
I don't know how to access it or interpret it.  Will it show me exactly
why the server's certificate is not being accepted?

Anyone ideas on what I can do to find out exactly why I'm unable to
complete the SSL handshake would be appreciated.

Thanks,
Gary