CEMT PERFORM SSL REBUILD not picking up new certificate

Question & Answer

Question

We have a site certificate that will expire within a week so we are attempting to install a new certificate to replace the current SITE DEFAULT certificate. The newly generated certificate has been placed into the CICS Keyring and the Keyring has been refreshed within our security manager. We then enter command CEMT PERFORM SSL REBUILD which seems to complete successfully with no error messages. However, when we test with the sample Web Support program by entering the following in a browser:

 https://ipaddress:port/CICS/CWBA/DFH$WB1A

then view the certificate with our web browser, it displays the old certificate, which is no longer the default. Can you tell me why it seems as though the SSL REBUILD did not take effect?

Answer

The failing region is making use of a TCPIPSERVICE that uses AT-TLS (SSL=ATTLSAWARE). The PERFORM SSL REBUILD command will not have any effect on AT-TLS.

The procedure to install a new certificate is as follows:

Place the new certificate into the Keyring defined in your AT-TLS policy.
Refresh the Keyring within the security manager.
Change or add an EnvironmentUserInstance value in the policy rule for this CICS traffic.
Enter one of the following Modify commands:

F PAGENT,REFRESH
F PAGENT,UPDATE

Topic AT-TLS errors in the Communication Server documentation discusses this process:

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"SSL","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

CICS/TS CICSTS CICS TS CICS Transaction Server

Was this topic helpful?

Document Information

Modified date:
03 February 2017

UID

dwa1353347

Tips