If a new CERTUATH certificate is added to ACF2, what needs to be done to refresh the AT-TLS policy agent to activate the new certificate within the virtual keyring?

Release : 16.0

Component : CA ACF2 for z/OS

If a new CERTAUTH certificate is added in virtual keyring and AT-TLS policy is pointing to the virtual keyring as shown below as an example:

TTLSEnvironmentAction         act_RDz_Debug_Probe-Client
{
 HandshakeRole            Client
 TTLSKeyRingParms
 {
  Keyring *AUTH*/*         # virtual key ring holding CA certificates
 }
 TTLSEnvironmentAdvancedParms
 {
## TLSV1.2 only for z/OS 2.1 and higher
# TLSV1.2 On               # SSLv3, TLSv1 & TLSv1.1 are on by default
 }
}

This is a case when a change is made, but it’s not reflected by a change in action as the certificate in a keyring is being added, but the key ring name is same in the policy file. Simply refreshing the pagent policy will not refresh the AT-TLS environment in this case.

A force refresh of AT-TLS is needed by changing some parameter. The EnvironmentUserInstance parameter can be used for this purpose. Incrementing the INSTANCE Number forces a refresh of AT-TLS without changing any of the security parameters. 

Refer to second paragraph of Action refresh topic in IBM doc and slide 15 of SHARE presentation.