Certificate Renewal - Any CCISSLGW actions required?
search cancel

Certificate Renewal - Any CCISSLGW actions required?

book

Article ID: 191881

calendar_today

Updated On:

Products

COMMON SERVICES FOR Z/OS Common Services LDAP SERVER FOR Z/OS CHORUS SOFTWARE MANAGER WEB ADMINISTRATOR FOR TOP SECRET Output Management Web Viewer Top Secret ACF2 - z/OS

Issue/Introduction

Running CA Security Command Propagation Facility (CPF) to propagate security commands between complexes using the CA Common Services CCISSLGW task and secure IP connections.

There is a need to renew the digital certificate used by CCISSLGW.

Once it's been changed (no change to label, subject/issuer DN or CA certs not changing) and a refresh is done...

  • what's required to activate the new cert in CCISSLGW?
  • any refresh or recycle command required?
  • how do we confirm the new cert is being used?

Environment

Release : 15.0
Component : CCIMVS : CAICCI-MVS

Resolution

  • CCISSLGW has to be restarted to use the updated certificate.
  • No special CCI parameter or commands required. A simple recycle of the CCISSLGW STC is all that is required. A "P CCISSLGW" command should be all that is required.
  • After restarting CCISSLGW, check the joblog (SYSPRINT) for serial number ("CERT_SERIAL_NUMBER is:"). Compare this with a display of the certificate using the appropriate security command. If the the serial numbers match, then CCISSLGW is using the renewed certificate.

Additional Information

When CCISSLGW is started, it initializes a System SSL environment, which loads the certificate info from the keyring database into memory.  Later, when a connection is requested, System SSL will grab the certificate info from memory, not the keyring database itself.  So, any updates in the keyring database will not affect CCISSLGW until it's recycled.