TCPIPSERVICE with ATTLSAWARE requires recycle of CICS for certificate changes

Question & Answer

Question

How can I dynamically refresh a certificate in CICS Transaction Server for z/OS (CICS TS) when using SSL=ATTLSAWARE on my TCPIPSERVICE definitions?

I experienced a problem today where a certificate renewal was missed, of a certificate used by dozens of CICS regions. In the past, when this happened, I was able to dynamically refresh the certificate by entering CEMT PERFORM SSL REBUILD. However today, I noticed using the CEMT command, closing and reopening ports, or discarding and reinstalling the ports did NOT lead to the new certificate being used. I had to recycle CICS to restore service.

My only recent change to the system was to implement SSL=ATTLSAWARE on my TCPIPSERVICE definitions. Before, I had SSL=YES coded.

Answer

A CEMT PERFORM SSL REBUILD will not work for AT-TLS. To refresh the certificate CICS TS is using when SSL=ATTLSAWARE, you have to do the following:

Place the new certificate into the Keyring defined in your AT-TLS policy.
Refresh the Keyring within the security manager.
Change or add an EnvironmentUserInstance value in the policy rule for this CICS traffic.
Enter one of the following Modify commands:
F PAGENT,REFRESH
or
F PAGENT,UPDATE

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"TCPIP","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

CICS/TS CICSTS CICS TS CICS Transaction Server

Was this topic helpful?

Document Information

Modified date:
17 September 2018

UID

dwa1451085

Tips