TSS LIST CHAIN shows different certificate chain after IPL
search cancel

TSS LIST CHAIN shows different certificate chain after IPL

book

Article ID: 250204

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

Added a renewed signer because the old signer is about to expire and deleted the old signer.

TSS LIST(owning_acid) DIGICERT(digicertname) CHAIN

shows the new isgner in the certificate chain.

Added the old signer certificate back to the security file.

After IPLing or recycling TSS started task, the TSS LIST CHAIN shows the old signer in the certificate chain.

Environment

Release : 16.0

Component : Top Secret for z/OS

Resolution

Top Secret has a digital certificate table in memory which contains all digital certificates and some information about them for quick access and look up.

Since it is in storage, access to some of the digital certificate information is quick and requires no I/O to the Top Secret Security File.

The TSS LIST CHAIN command searches the Top Secret Digital certificate table in storage to determine the digital certificate chain.

TSS LIST CHAIN looks at two things to determine a signer of a certificate:

  1. The IDN (Issuer Distinguished Name)
  2. The "Auth id" of the certificate.

Once the signer of the certificate is found in the Top Secret Digital Certificate table in storage, the search stops. 

This is done for every certificate in the chain, until the chain is  complete.

Here is where the issue comes in.

When there are two versions of the signing certificates with different expiration dates, they both will have the same exact IDN and "Auth Id".

The TSS LIST CHAIN command will choose the first instance of the signer with the matching IDN and "Auth Id" and use it in the TSS LIST CHAIN output.

The position of the old signer and new signer is not static. Their position in the Top Secret Digital Certificate table in storage can change, after a recycle of Top Secret address space or IPL.

Fortunately, the TSS LIST CHAIN doesn’t control what version of the signer certificates are passed back for the digital certificate call.

It is the keyring definition that determines what certificates are passed back for the digital certificate call. 

So, as long as the correct version of the signer certificate is on the keyring, the TSS LIST CHAIN output will not have a negative effect on your digital certificate processing.