search cancel

Certificate failure with new and expired certificate exists, new certificate not picked up


Article ID: 254901


Updated On:


ACF2 - z/OS


Are there any issues in ACF2 that would cause an expired certificate to be used even though a good certificate existed as well?

Or is this a potential process problem? 



Release : 16.0


The questions as to whether an expired certificate would be used even though a good certificate no expired certificate exists is an Client or Server application question since the ESM(ACF2) will return all TRUSTed certificates CONNECTed to a Keyring even if expired. It is the application that does the authentication using the ESM returned certificates.

The client or server task will issue R_datalib calls requesting the Keyring and the certificates connected to the Keyring. The External Security Manager(ESM) in this case ACF2 will return the Keyring information and all of the certificates that are connected to the Keyring that are TRUSTed. Note that expired certificates will be returned.

Depending on whether a site is doing Server authentication or Server and Client authentication only a single personal server or client can be sent to the other side to be authenticated. If there are multiple personal certificates, applications can determine which certificate to send based on the certificate label(specified in the initialization parameter file) or by use of the DEFAULT flag(there can only be one DEFAULT in a keyring).

If the certificates are CERTAUTH signing certificates, a site can control what order the CERTAUTH certificates are returned to the caller based on the CERTAUTH CERTDATA record suffix. CERTAUTH certificates are stored with a CERTDATA record name of CERTAUTH.suffix. When CERTAUTH.suffix certificates are connected to a keyring, the CERTAUTH certificates are stored in the keyring alphabetically by the suffix. When the application issues the R_datalib call the certificates will be returned in the order shown when listing the keyring where the CERTAUTH certificates are displayed in the keyring alphabetically by the suffix.