Installing the new Digicert Global Root G2 certificate for CA SMP/E Internet Service Retrieval getting DUPLICATE error

book

Article ID: 207725

calendar_today

Updated On:

Products

CA ACF2 CA Top Secret CA Common Services CA Workload Automation CA 7 Edition

Issue/Introduction

On 01-31-2021 there was an Alert for CA SMP/E Internet Service Retrieval that documented the requirement for a new Digicert Global Root G2 certificate. After downloading the new Digicert Global Root G2 certificate, uploading to z/OS and trying to INSERT(ACF2) or ADD(Top Secret or RACF) getting the following DUPLICATE message:

ACF2
ACF00176 Duplicate certificate detected - CERTAUTH.suffix

Top Secret
TSS0940I DUPLICATE CERTIFICATE DETECTED - CERTAUTH - 00.CN=xxxxxxx.ST=yyyyyyy

RACF
IRRD109I The certificate cannot be added.  Profile 033af1e6a711a9a0bb2864b11d09fae5.
CN=DigiCert¢Global¢Root¢G2.OU=www.digicert.com.OU=www.digicert.com.O=DigiCert¢Inc.C=US is already defined.  

Resolution

To verify that the new Digicert Global Root G2 certificate is an exact duplicate of the existing certificate, sites can LIST the existing certificate and verify that the SERIAL number matches Serial: 033af1e6a711a9a0bb2864b11d09fae5. As long as the SERIAL number matches, sites can connect the existing certificate with Serial: 033af1e6a711a9a0bb2864b11d09fae5 to their existing SMP/E Keyring.   

To LIST the existing certificate the following ESM commands can be used to display the serial number:

ACF2
CHKCERT CERTAUTH.suffix

Top Secret
TSS LIST(CERTAUTH) LABLCERT('certificate label')

RACF   
RACDCERT CERTAUTH LIST(LABEL('certificate label')) 
  or to LIST by the duplicate SERIAL number to determine the LABEL:
RACDCERT CERTAUTH LIST(SERIALNUMBER(033af1e6a711a9a0bb2864b11d09fae5))  


After verifying the certificate is an exact duplicate the existing certificate can be CONNECTed to the SMP/E Keyring:

ACF2
SET PROFILE(USER) DIV(KEYRING)
CONNECT CERTDATA(CERTAUTH.suffix) KEYRING(user1.ring) USAGE(CERTAUTH)

Top Secret
TSS ADD(user1) KEYRING(yourSMPE_RingName) RINGDATA(CERTAUTH,yourDigicertCAcertname) -
USAGE(CERTAUTH)

RACF
RACDCERT ID(ring-owner) CONNECT( CERTAUTH LABEL('your Digicert CA certificate label') +
RING(keyringname) USAGE(CERTAUTH) )        

Additional Information

For details on CA ACF2, CA Top Secret, or IBM RACF commands for CA SMP/E Internet Service Retrieval: