Trying to apply maintenance in z/OSMF Software Update. Select the target zone and click Install Recommended fails with error:
CWWKO0801E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired.
Exception is javax.net.ssl.SSLException: Received fatal alert: certificate_unknown.
The z/OSMF USS log file in /global/zosmf/data/logs/IZUG0.log shows the following error:
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: Certificate expired
Using RACF certificates.
The error indicates one of the certificates used by z/OSMF in the z/OSMF keyring has expired.
To determine which certificate has expired display all the certificates in the z/OSMF keyring.
The default keyring name for z/OSMF is IZUKeyring.IZUDFLT
First list the z/OSMF keyring, use the following RACF command:
RACDCERT LISTRING(IZUKeyring.IZUDFLT) D(IZUSVR)
If using the supplied z/OSMF default certificate names, the display will look like this:
Ring:
>IZUKeyring.IZUDFLT<
Certificate Label Name Cert Owner USAGE DEFAULT
-------------------------------- ------------ -------- -------
DefaultzOSMFCert.IZUDFLT ID(IZUSVR) PERSONAL YES
zOSMFCA CERTAUTH CERTAUTH NO
Then for each certificate listed issue the following command to see the expiry dates:
RACDCERT LIST(LABEL('certificate_label_name')) ID(IZUSVR)
For the default certificate name use command:
RACDCERT LIST(LABEL('DefaultzOSMFCert.IZUDFLT')) ID(IZUSVR)
For the CERTAUTH certificate use command:
RACDCERT CERTAUTH LIST(LABEL('zOSMFCA'))
In the display check the Start Date and End Date
In this case the CERTAUTH certificate has expired:
Digital certificate information for CERTAUTH:
Label: zOSMFCA
Certificate ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Status: TRUST
Start Date: 2013/11/18 01:00:00
End Date: 2021/08/21 00:59:59
To resolve the problem delete and re-add the expired z/OSMF certificate.
Follow the documented IBM instructions for setting up z/OSMF certificates in section Configuring the z/OSMF server certificate and key ring.
In this case the following commands were run to delete and re-add the z/OSMF CERTAUTH certificate using the default name with a new end date:
RACDCERT CERTAUTH DELETE(LABEL('zOSMFCA'))
SETROPTS RACLIST(DIGTCERT) REFRESH
RACDCERT CERTAUTH GENCERT SUBJECTSDN(CN('z/OSMF CertAuth for Security Domain') OU('IZUDFLT')) WITHLABEL('zOSMFCA') TRUST NOTAFTER(DATE(2028/05/17))
SETROPTS RACLIST(DIGTCERT) REFRESH
RACDCERT ID( IZUSVR ) CONNECT (LABEL('zOSMFCA') RING(IZUKeyring.IZUDFLT) CERTAUTH)
SETROPTS RACLIST(DIGTCERT DIGTRING) REFRESH
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(IZUSVR) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
After this restart the z/OSMF started task.
In some cases an IPL may be required.