I have identical certdata records and certificates on two ACF2 databases. I replaced one to extend its expiration date. What would be the best way to propagate that change to the second database?

Document ID : KB000025883
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:  

I have identical certdata records and certificates on two ACF2 databases. I replaced one to extend its expiration date. What would be the best way to propagate that change to the second database?

Answer:  

Since the certificates are identical on the two systems (other than the validity dates), then it should be ok to delete the certificate on the second system and copy over the updated certificate from first system. This would be the process in detail:

  1. EXPORT the replacement certificate from sysa to a dataset
  2. EXPORT the expiring certificate on sysb to a dataset to save it
    ---just in case.
  3. DELETE the expiring certificate from sysb.
  4. Issue F ACF2,REBUILD(USR),CLASS(P)
  5. Issue F ACF2,OMVS(CERTDATA)
  6. INSERT the replacement certificate from the EXPORT dataset for sysa
  7. Issue CHKCERT to verify display is the same on both sysa and sysb
  8. Issue F ACF2,REBUILD(USR),CLASS(P)
  9. Issue F ACF2,OMVS(CERTDATA)
  10. Bounce any address spaces that reference the keyrings to which a replaced certificate is connected.

Commands:
On sysa
-------
ACF
EXPORT userid.cert1 DSN('saved.userid.cert1.sysa') FORMAT(PKCS12DER) -
PASSWORD(pkcs12 password)

On sysb
-------
ACF
EXPORT userid.cert1 DSN('saved.userid.cert1.sysb') FORMAT(PKCS12DER) -
PASSWORD(pkcs12 password)
SET PROFILE(USER) DIV(CERTDATA)
DELETE userid.cert1
F ACF2,REBUILD(USR),CLASS(P)
F ACF2,OMVS(CERTDATA)
INSERT userid.cert1 DSN('saved.userid.cert1.sysa') -
PASSWORD(pkcs12 password)TRUST
CHKCERT userid.cert1
F ACF2,REBUILD(USR),CLASS(P)
F ACF2,OMVS(CERTDATA)