ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

ACF2 virtual keyring and policy agent

book

Article ID: 226699

calendar_today

Updated On:

Products

ACF2 - z/OS

Issue/Introduction

If a new CERTUATH certificate is added to ACF2, what needs to be done to refresh the AT-TLS policy agent to activate the new certificate within the virtual keyring?

 

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

If a new CERTAUTH certificate is added in virtual keyring and AT-TLS policy is pointing to the virtual keyring as shown below as an example:

TTLSEnvironmentAction         act_RDz_Debug_Probe-Client
{
 HandshakeRole            Client
 TTLSKeyRingParms
 {
  Keyring *AUTH*/*         # virtual key ring holding CA certificates
 }
 TTLSEnvironmentAdvancedParms
 {
## TLSV1.2 only for z/OS 2.1 and higher
# TLSV1.2 On               # SSLv3, TLSv1 & TLSv1.1 are on by default
 }
}

This is a case when a change is made, but it’s not reflected by a change in action as the certificate in a keyring is being added, but the key ring name is same in the policy file. Simply refreshing the pagent policy will not refresh the AT-TLS environment in this case.

A force refresh of AT-TLS is needed by changing some parameter. The EnvironmentUserInstance parameter can be used for this purpose. Incrementing the INSTANCE Number forces a refresh of AT-TLS without changing any of the security parameters. 

Additional Information

Refer to second paragraph of Action refresh topic in IBM doc and slide 15 of SHARE presentation.