IBM Server certificates signed by GeoTrust are being replaced by DigiCert signed certificates. What do I need to do in ACF2?

Document ID : KB000010964
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Immediate Action Required Before January 29, 2018:

New Certificate Authority (CA) Certificate

 

IBM Server certificates signed by GeoTrust are being replaced by DigiCert signed certificates.

There are several IBM servers which provide support for ordering and downloading z/OS software products and service. These servers use Secure Sockets Layer (SSL) technology to perform secure and encrypted communications between client and server applications. To enable this secure communication technology, servers identify themselves using x.509 certificates, and trusted certificate authority (CA) certificates are used to authenticate the servers.

 

Background:

The server certificates and some of the certificate authority (CA) certificates used by the IBM servers are expiring and must be replaced. The current and expiring certificates are authenticated using the GeoTrust Global CA certificate. Due to the DigiCert Inc. acquisition in 2017 of Symantec's Web PKI solutions (which included the GeoTrust certificate authority) the replacement server certificates will not be authenticated using the GeoTrust Global CA certificate. Instead, the replacement server certificates will be authenticated using the DigiCert Global Root CA certificate.

Therefore, to continue accessing the affected IBM servers from your z/OS systems, you must obtain and install the trusted DigiCert Global Root CA certificate into your z/OS security management data bases. Without this certificate, SMP/E RECEIVE ORDER will fail with message GIM69207S "RECEIVE PROCESSING HAS FAILED BECAUSE THE CONNECTION WITH THE SERVER FAILED. javax.net.ssl.SSLHandshakeException…"

 

Instructions:

To obtain and add the DigiCert Global Root CA certificate to your z/OS security manager database, perform the following steps:

1. Download the DigiCert Global Root CA certificate file to your workstation from https://www.digicert.com/CACerts/DigiCertGlobalRootCA.crt. For your reference, the certificate has this serial number: 083BE056904246B1A1756AC95991C74A. If you have trouble downloading the file directly using the link above, depending on how you are viewing this document, you may be able to right-click the link above, then use "Save Link As…" to download the file to your workstation. Or, go to https://www.digicert.com/digicert-root-certificates.htm, find the "Digicert Global Root CA" from the list of Root Certificates, and right-click on the "Download" link, then use "Save Link As…" to download the file to your workstation.

2. Upload the certificate file to your z/OS system. You can use FTP or another method, but be sure the file is uploaded in binary format and stored into a sequential data set with RECFM=VB and LRECL>=256.

3. After you have stored the certificate in a sequential data set, add it to your security manager database. If you are using RACF, then you can use the following command:

RACDCERT CERTAUTH ADD('ca-cert.dataset.name') +
WITHLABEL('DigiCert Global Root CA') TRUST

where ca-cert.dataset.name is the name of the sequential data set you uploaded containing the certificate file.

In ACF2, you would do this:

ACF
SET PROFILE(USER) DIV(CERTDATA)
INSERT CERTAUTH.DigiCert DSN('ca-cert.dataset.name') LABEL(DigiCert Global Root CA) TRUST

4. To enable SMP/E RECEIVE ORDER after the certificate has been added to your security manager data base, connect it to the keyring you use for SMP/E RECEIVE ORDER operations. If you are using RACF, then you can use the following command:

RACDCERT ID(ring-owner) CONNECT( CERTAUTH +
LABEL('DigiCert Global Root CA') +
RING(keyringname) USAGE(CERTAUTH) )

In ACF2, you would do this:

ACF
SET PROFILE(USER) DIV(KEYRING)
CONNECT CERTDATA(CERTAUTH.DigiCert) KEYRING(ring-owner.keyringname) USAGE(CERTAUTH)

Do NOT delete the GeoTrust Global CA certificate from your z/OS security management data base, or from your keyring you use for SMP/E operations, until after all the IBM servers have been updated to use the new server and CA certificates, and other servers you rely on have replaced their GeoTrust authenticated certificates.

 

 

Additional Information: