Renewing Expired SSL certificates for XCOM for z/OS
search cancel

Renewing Expired SSL certificates for XCOM for z/OS

book

Article ID: 91922

calendar_today

Updated On:

Products

XCOM Data Transport XCOM Data Transport - z/OS

Issue/Introduction

Performing SSL transfers with XCOM and the SSL certificates are about to expire. What can be done in the configuration file to be able to use both the old and new certificates and cause no impact to the business.

Environment

  • ACF2™
  • Top Secret®
  • IBM RACF
  • XCOM™ Data Transport® for z/OS

Cause

Certificates are expired or about to expire

Resolution

The XCOM servers start TCP/IP listeners to receive incoming requests. For our SSL listener, you can have only one configuration file which establishes the SSL parameters (including certificate info) that will be applied to ALL INCOMING SSL transfer requests. This is a design which is proven - and serves as a gatekeeper for incoming SSL activity. 

That is the configuration methodology for all REMOTELY initiated SSL transfers. It keeps remote parties (potentially malicious connectors) from modifying your SSL configurations to use less secure settings than those you have chosen. 

However, for initiating SSL transfers locally, you have several options for switching to updated certificates.

  • You can create a separate XCOM_CONFIG_SSL dataset which points to the NEW certificates. This XCOM_CONFIG_SSL dataset can be specified using the default value of XCOM_CONFIG_SSL in the server's CONFIG member.
  • It can also be specified (overridden) for all transfers to a SPECIFIC REMOTE TCP/IP address (via an XCOM DEST member). 

You can also override this SSL configuration dataset setting for INDIVIDUAL TRANSFERS via the XCOM_CONFIG_SSL SYSIN01 parameter. This provides a means to configure SSL transfers with the lowest possible level of granularity,  while providing reasonable defaults by server or remote destination. 

That is the configuration methodology for all LOCALLY initiated SSL transfers. 

This design has served our customers well, and provides a means to migrate smoothly, putting the responsibility for overrides in the hands of the user who INITIATES the transfers while protecting the listening server from unwanted connections.

Now, it is also possible, per the IBM RACF documentation, to renew expiring certificates while keeping the same Private Key or changing the Private Key. Here are the links that provides that information:

Here are some links related to the resetting/renew of certificates with Top Secret.

Here is a links relating to replacing an expired certificate with ACF2:

Please note that certificate management should and need to be managed by the sites' Security Administrators.  

Additional Information

Before proceeding, you may want to contact your Security Administrator or contact Top Secret, ACF2, or IBM RACF Support.