If a new CERTUATH certificate is added to ACF2, what needs to be done to refresh the AT-TLS policy agent to activate the new certificate within the virtual keyring?
Release : 16.0
Component : CA ACF2 for z/OS
If a new CERTAUTH certificate is added in virtual keyring and AT-TLS policy is pointing to the virtual keyring as shown below as an example:
TTLSEnvironmentAction act_RDz_Debug_Probe-Client
{
HandshakeRole Client
TTLSKeyRingParms
{
Keyring *AUTH*/* # virtual key ring holding CA certificates
}
TTLSEnvironmentAdvancedParms
{
## TLSV1.2 only for z/OS 2.1 and higher
# TLSV1.2 On # SSLv3, TLSv1 & TLSv1.1 are on by default
}
}
This is a case when a change is made, but it’s not reflected by a change in action as the certificate in a keyring is being added, but the key ring name is same in the policy file. Simply refreshing the pagent policy will not refresh the AT-TLS environment in this case.
A force refresh of AT-TLS is needed by changing some parameter. The EnvironmentUserInstance parameter can be used for this purpose. Incrementing the INSTANCE Number forces a refresh of AT-TLS without changing any of the security parameters.
Refer to second paragraph of Action refresh topic in IBM doc and slide 15 of SHARE presentation.