Performing SSL transfers with XCOM and the SSL certificates are about to expire. What can be done in the configuration file to be able to use both the old and new certificates and cause no impact to the business.
Certificates are expired or about to expire
The XCOM servers start TCP/IP listeners to receive incoming requests. For our SSL listener, you can have only one configuration file which establishes the SSL parameters (including certificate info) that will be applied to ALL INCOMING SSL transfer requests. This is a design which is proven - and serves as a gatekeeper for incoming SSL activity.
That is the configuration methodology for all REMOTELY initiated SSL transfers. It keeps remote parties (potentially malicious connectors) from modifying your SSL configurations to use less secure settings than those you have chosen.
However, for initiating SSL transfers locally, you have several options for switching to updated certificates.
You can also override this SSL configuration dataset setting for INDIVIDUAL TRANSFERS via the XCOM_CONFIG_SSL SYSIN01 parameter. This provides a means to configure SSL transfers with the lowest possible level of granularity, while providing reasonable defaults by server or remote destination.
That is the configuration methodology for all LOCALLY initiated SSL transfers.
This design has served our customers well, and provides a means to migrate smoothly, putting the responsibility for overrides in the hands of the user who INITIATES the transfers while protecting the listening server from unwanted connections.
Now, it is also possible, per the IBM RACF documentation, to renew expiring certificates while keeping the same Private Key or changing the Private Key. Here are the links that provides that information:
Here are some links related to the resetting/renew of certificates with Top Secret.
Here is a links relating to replacing an expired certificate with ACF2:
Please note that certificate management should and need to be managed by the sites' Security Administrators.
Before proceeding, you may want to contact your Security Administrator or contact Top Secret, ACF2, or IBM RACF Support.