search cancel

Download Server Certificate Renewal Instructions

book

Article ID: 238330

calendar_today

Updated On:

Products

Common Services COMMON SERVICES FOR Z/OS

Issue/Introduction

Use the following instructions to renew the Digicert Intermediate CA certificate (Broadcom Download Server certificate). The Digicert Intermediate CA certificate must be renewed by July 8, 2022.

These instructions apply to customers using:

  • SMP/E Internet Service Retrieval (RECEIVE ORDER)
  • FTP with SSL to transfer files (also called FTPS)

Note: Chorus Software Manager users are not affected.

Resolution

To ensure uninterrupted service before the existing certificate expires, complete the following steps to download and connect the new Digicert Intermediate CA certificate (Broadcom Download Server certificate) for SMP/E Internet Service Retrieval and FTP with SSL to transfer files:

  1. Download the new Digicert Intermediate CA certificate.

  2. Upload the new Digicert Intermediate CA certificate to z/OS.

  3. Add the new Digicert Intermediate CA certificate

  4. Remove the old Digicert Intermediate CA certificate (after July 8, 2022).

Download the new Digicert Intermediate CA Certificate

Select the following link to download the new Broadcom Download Server certificate (CN=DigiCert TLS RSA SHA256 2020 CA1.O=DigiCert Inc.C=US) serial number 06D8D904D5584346F68A2FA754227EC4:

https://ftpdocs.broadcom.com/cadocs/0/certs/digi-inter-new/digicert_intermediate_2031.crt

This certificate will replace the old Digicert Intermediate CA certificate on July 8, 2022.

Note: For RECEIVE ORDER, you can continue to use your existing User and Root certificates. You are not required to download new User and Root certificates.

Note the location of the file on your workstation.

Upload the new Digicert Intermediate CA Certificate to z/OS

Upload the server certificate that you saved to your workstation to z/OS.

  1. Upload the new Digicert Intermediate CA certificate as text data to your z/OS system in RECFM=VB and LRECL>=84 format. For example, LRECL=84, LRECL=256, and LRECL=512 are acceptable.

    Note: When uploading the certificate, specify the WRAP parameter so that the data is wrapped to the next record when no new line character is encountered before the logical record length of the receiving file is reached.

  2. If you use FTP, use the following FTP commands to avoid truncation:
    ASCII
    QUOTE SITE WRAP LRECL=256 RECFM=VB
    PUT cert_file_name 'your.zos.dataset.name' (REPLACE

The new Digicert Intermediate CA certificate is transferred to z/OS.

Add the new Digicert Intermediate CA Certificate to the Keyring

Configure your External Security Manager (ESM) ACF2, Top Secret, or IBM RACF to add the new Digicert Intermediate CA certificate to the keyring for SMP/E Receive Order and FTP with SSL to transfer files. 

Configure ACF2 Security

  1. Add the new Digicert Intermediate CA certificate:
    SET PROFILE(USER) DIV(CERTDATA)

    INSERT CERTAUTH.yourcertname DSN('your.zos.dataset.name') -
    LABEL(yourlabeldescription)
  2. Connect the new Digicert Intermediate CA certificate to your keyring:
    SET PROFILE(USER) DIV(KEYRING)

    PROFILE

    CONNECT CERTDATA(CERTAUTH.yournewDigicertIntermediateCAcertname) KEYRING(user1.ring) -
    USAGE(CERTAUTH)

Configure Top Secret Security

  1. Add the new Digicert Intermediate CA certificate:
    TSS ADD(CERTAUTH) DIGICERT(yournewDigicertIntermediateCAcertname) LABLCERT(yourlabelname) -
    DCDSN('your.zos.dataset.name') TRUST
  2. Connect the new Digicert Intermediate CA certificate to your keyring:
    TSS ADD(user1) KEYRING(yourRingName) RINGDATA(CERTAUTH,yournewDigicertIntermediateCAcertname) -
    USAGE(CERTAUTH)

Configure IBM RACF Security

  1. Add the new Digicert Intermediate CA certificate:
    RACDCERT CERTAUTH ADD('your.zos.dataset.name') +
    WITHLABEL('your new Digicert Intermediate CA label') TRUST
  2. Connect the new Digicert Intermediate CA certificate to your keyring:
    RACDCERT ID(ring-owner) CONNECT( CERTAUTH LABEL('your new Digicert Intermediate CA certificate label') +
    RING(keyringname) USAGE(CERTAUTH) )

When these steps are completed, you have renewed the Broadcom Download Server (Digicert Intermediate CA ) certificate. You can remove the old Digicert Intermediate CA certificate after July 8, 2022.

Remove the Old Digicert Intermediate CA Certificate

When the old Digicert Immediate CA certificate expires, you can remove it from your ACF2, Top Secret, or IBM RACF database. Do not complete this step until after  July 8, 2022.

  • For ACF2, specify:
    ACF
    SET PROFILE(USER) DIV(CERTDATA)
    REMOVE CERTDATA(userid1.suffix) KEYRING(userid2.suffix) RINGNAME(ringname)
  • For Top Secret, specify:
    TSS REMOVE(owningacid) KEYRING(keyring) RINGDATA(CERTAUTH,digicert)
  • For IBM RACF, specify:
    RACDCERT REMOVE(CERTAUTH LABEL('label-name') RING(ringname))

     

Additional Information