Question & Answer
Question
How can I dynamically refresh a certificate in CICS Transaction Server for z/OS (CICS TS) when using SSL=ATTLSAWARE on my TCPIPSERVICE definitions?
I experienced a problem today where a certificate renewal was missed, of a certificate used by dozens of CICS regions. In the past, when this happened, I was able to dynamically refresh the certificate by entering CEMT PERFORM SSL REBUILD. However today, I noticed using the CEMT command, closing and reopening ports, or discarding and reinstalling the ports did NOT lead to the new certificate being used. I had to recycle CICS to restore service.
My only recent change to the system was to implement SSL=ATTLSAWARE on my TCPIPSERVICE definitions. Before, I had SSL=YES coded.
Answer
A CEMT PERFORM SSL REBUILD will not work for AT-TLS. To refresh the certificate CICS TS is using when SSL=ATTLSAWARE, you have to do the following:
Place the new certificate into the Keyring defined in your AT-TLS policy.
Refresh the Keyring within the security manager.
Change or add an EnvironmentUserInstance value in the policy rule for this CICS traffic.
Enter one of the following Modify commands:
F PAGENT,REFRESH
or
F PAGENT,UPDATE
Product Synonym
CICS/TS CICSTS CICS TS CICS Transaction Server
Was this topic helpful?
Document Information
Modified date:
17 September 2018
UID
dwa1451085