z/OSMF Software Update certificate expired error
search cancel

z/OSMF Software Update certificate expired error

book

Article ID: 276720

calendar_today

Updated On:

Products

IDMS COMMON SERVICES FOR Z/OS

Issue/Introduction

Trying to apply maintenance in z/OSMF Software Update. Select the target zone and click Install Recommended fails with error:

CWWKO0801E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired. 
Exception is javax.net.ssl.SSLException: Received fatal alert: certificate_unknown.

The z/OSMF USS log file in /global/zosmf/data/logs/IZUG0.log shows the following error:

javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: Certificate expired

Using RACF certificates.

Cause

The error indicates one of the certificates used by z/OSMF in the z/OSMF keyring has expired.

To determine which certificate has expired display all the certificates in the z/OSMF keyring.

The default keyring name for z/OSMF is IZUKeyring.IZUDFLT

First list the z/OSMF keyring, use the following RACF command:

RACDCERT LISTRING(IZUKeyring.IZUDFLT) D(IZUSVR)

If using the supplied z/OSMF default certificate names, the display will look like this:

Ring:                                                                  

       >IZUKeyring.IZUDFLT<                                             

  Certificate Label Name             Cert Owner     USAGE      DEFAULT  

  --------------------------------   ------------   --------   -------  

  DefaultzOSMFCert.IZUDFLT           ID(IZUSVR)     PERSONAL     YES    

                                                                         

  zOSMFCA                            CERTAUTH       CERTAUTH     NO     
  

Then for  each certificate listed issue the following command to see the expiry dates:
RACDCERT LIST(LABEL('certificate_label_name')) ID(IZUSVR)

For the default certificate name use command:

RACDCERT LIST(LABEL('DefaultzOSMFCert.IZUDFLT')) ID(IZUSVR)  

For the CERTAUTH certificate use command:

RACDCERT CERTAUTH  LIST(LABEL('zOSMFCA'))  
  
In the display check the Start Date and End Date

In this case the  CERTAUTH certificate has expired:

Digital certificate information for CERTAUTH:                   
                                                                 

  Label: zOSMFCA                                                 

  Certificate ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx                     

  Status: TRUST                                                 

  Start Date: 2013/11/18 01:00:00                               

  End Date:   2021/08/21 00:59:59                               
  
  

 

Resolution

To resolve the problem delete and re-add the expired z/OSMF certificate.

Follow the documented IBM instructions for setting up z/OSMF certificates in section Configuring the z/OSMF server certificate and key ring.

In this case the following commands were run to delete and re-add the z/OSMF CERTAUTH certificate using the default name with a new end date:

RACDCERT CERTAUTH DELETE(LABEL('zOSMFCA')) 

SETROPTS RACLIST(DIGTCERT) REFRESH

RACDCERT CERTAUTH GENCERT SUBJECTSDN(CN('z/OSMF CertAuth for Security Domain') OU('IZUDFLT')) WITHLABEL('zOSMFCA')  TRUST NOTAFTER(DATE(2028/05/17))  

SETROPTS RACLIST(DIGTCERT) REFRESH

RACDCERT ID( IZUSVR ) CONNECT (LABEL('zOSMFCA') RING(IZUKeyring.IZUDFLT) CERTAUTH)

SETROPTS RACLIST(DIGTCERT DIGTRING) REFRESH 

PERMIT   IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(IZUSVR) ACCESS(READ)

SETROPTS RACLIST(FACILITY) REFRESH

After this restart the z/OSMF started task.

In some cases an IPL may be required.

Powered by Wolken Software