CEMT PERFORM SECURITY REBUILD not refreshing Certificate changes in CICS

Question & Answer

Question

I updated my CICS Keyring with some new CA chains for existing certificates. I then attempted to refresh the Secure Sockets Layer (SSL) environment by entering command CEMT PERFORM SECURITY REBUILD in my CICS Transaction Server for z/OS (CICS TS) region. However, the command had no effect. Do I have to cycle the CICS region to pick up the updates to the key ring?

Answer

Refer to the CICS TS documentation, topic Creating New RACF Certificates. Bullets 3 and 4, of the procedure, explain to refresh RACF with the SETROPTS command and to refresh CICS with PEFORM SSL REBUILD command. Do not use PERFORM SECURITY REBUILD command because this will not refresh the SSL environment and the cache of certificates.

Following are the referenced bullets:

(3) After running any of the RACDCERT commands that update certificates or key rings, if the DIGTCERT and DIGTRING classes are RACLISTed, you must issue the following command:

 SETROPTS RACLIST(DIGTCERT DIGTRING) REFRESH

(4) After you make any updates or additions to the certificates in the key ring, issue the PERFORM SSL REBUILD command for the CICS region. The command rebuilds the SSL environment for the CICS region and refreshes the cache of certificates with the new information from the key ring.

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"SSL","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

CICS/TS CICSTS CICS TS CICS Transaction Server

Was this topic helpful?

Document Information

Modified date:
10 April 2017

UID

dwa1363744

Tips