search cancel

ACF2 virtual keyring and policy agent


Article ID: 226699


Updated On:


ACF2 - z/OS


If a new CERTUATH certificate is added to ACF2, what needs to be done to refresh the AT-TLS policy agent to activate the new certificate within the virtual keyring?



Release : 16.0

Component : CA ACF2 for z/OS


If a new CERTAUTH certificate is added in virtual keyring and AT-TLS policy is pointing to the virtual keyring as shown below as an example:

TTLSEnvironmentAction         act_RDz_Debug_Probe-Client
 HandshakeRole            Client
  Keyring *AUTH*/*         # virtual key ring holding CA certificates
## TLSV1.2 only for z/OS 2.1 and higher
# TLSV1.2 On               # SSLv3, TLSv1 & TLSv1.1 are on by default

This is a case when a change is made, but it’s not reflected by a change in action as the certificate in a keyring is being added, but the key ring name is same in the policy file. Simply refreshing the pagent policy will not refresh the AT-TLS environment in this case.

A force refresh of AT-TLS is needed by changing some parameter. The EnvironmentUserInstance parameter can be used for this purpose. Incrementing the INSTANCE Number forces a refresh of AT-TLS without changing any of the security parameters. 

Additional Information

Refer to second paragraph of Action refresh topic in IBM doc and slide 15 of SHARE presentation.