Renewal of the OpenSSL client and server certificates XCOM for z/OS
book
Article ID: 6693
calendar_today
Updated On:
Products
XCOM Data TransportXCOM Data Transport - z/OS
Issue/Introduction
We need to renew/replace the expiring OpenSSL client and server certificates that are used with XCOM for z/OS. The OpenSSL ca certificate has not expired and we would like to continue to use it. What are the procedures to accomplish this?
Environment
XCOM™ Data Transport® for z/OS
Resolution
If you used the XCOM sample "make" scripts to generate your SSL certificates for z/OS you will need to:
Backup your ssl directory and configssl.cnf
Remove all the files and/or directories:
all index.* files
all serial and serial.* files
the certs and private directories
the random.pem file
Set your new expiration dates in your cassl.conf file, parameter "default_days="
Run makeca script only
At this point the certs and private directories are created and will contain a cassl.pem and a casslkey.pem. You want to replace them with your existing cassl.pem and casslkey.pem that have not expired.
delete the cassl.pem and casslkey.pem in the directories
copy your existing cassl.pem and casslkey.pem that have not expired to the certs and private directories
Run the makeclient, makeserver scripts.
Run the listca, listclient, listserver scripts to verify your expiration dates
Run a loopback transfers to make sure the certificates are valid.
The above instructions are only valid if you used our sample "make" scripts. If your certificates were acquired via a third party vendor then you need to check with your Security Admin for those procedures.