CA SMP/E Receive Order getting GIM69207S, SSLHandshakeException Certificate chaining error

book

Article ID: 207783

calendar_today

Updated On:

Products

CA ACF2 CA Top Secret CA Common Services for z/OS CA Common Services

Issue/Introduction

Running CA SMP/E Receive Order getting:

GIM69207S ** RECEIVE PROCESSING HAS FAILED BECAUSE THE CONNECTION WITH THE SERVER FAILED.
             javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed:
             java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.;
                                                           
GIM20501I    RECEIVE PROCESSING IS COMPLETE. THE HIGHEST RETURN CODE WAS 12.  

 

Cause

The Broadcom CA SMP/E Receive Order server certificate that expired on Friday, February 5, 2021 at 11:30 PM EST.
For SMP/E to authenticate this new renewed Broadcom Order server certificate, a new Digicert Global Root G2 certificate is required.
Existing customers who use SMP/E Receive Order to acquire maintenance will need to download,
install and CONNECT this new Digicert Global Root G2 certificate to their existing SMP/E keyring.
            

Resolution


If you are using CA SMP/E Receive Order to acquire maintenance, you will need to obtain a new certificate .
  The new certificate can be added to your existing keyring.  
Use the following instructions to obtain the new certificate and update your keyring within your external
security manager (CA ACF2, CA Top Secret, or IBM RACF).

INSTRUCTIONS:

Use the following instructions to download the new Digicert Global Root G2 certificate: 

1. Download the NEW certificate from https://support.broadcom.com/cadocs/0/certs/eapi/digi-root.crt.

2. Upload the new certificate as text data to your z/OS data set allocated as RECFM=VB and LRECL>=84 format.    If you use FTP, use the following commands to avoid truncation:

           ASCII 
          QUOTE SITE WRAP LRECL=84 RECFM=VB
          PUT your_PC_filename 'your.dataset.name' (REPLACE
          quit

3. The keyring will now require three certificates which include:

   (NEW) Root Digicert
   (Existing) Intermediate Digicert 
   (Existing) Broadcom user Certificate.  

4. For details on downloading certificates and using CA ACF2, CA Top Secret, or IBM RACF to add the new certificate to the keyring.  

If you have any questions about this Critical Alert, please contact Broadcom Support.

Additional Information

Note: The certificates in the keyring are not related to each other.
There are two separate server certificates and one user certificate - they are not in a chain.
Note that the user certificate must be connected to the keyring as usage=certauth.