Renewing SSL certificates for CA XCOM

Document ID : KB000091922
Last Modified Date : 27/04/2018
Show Technical Document Details
Issue:
Performing SSL transfers with CA XCOM and the SSL certificates are about to expire. I need to know what can be done in the configuration file to be able to use both the old and new certificates and cause no impact to the business.
Environment:
XCOM r12, RACF, Top Secret, ACF2
Resolution:
The XCOM servers start TCP/IP listeners to receive incoming requests. For our SSL listener, you can have only one configuration file which establishes the SSL parameters (including certificate info) that will be applied to ALL INCOMING SSL transfer requests. This is a design which is proven - and serves as a gatekeeper for incoming SSL activity. 

That is the configuration methodology for all REMOTELY initiated SSL transfers. It keeps remote parties (potentially malicious connectors) from modifying your SSL configurations to use less secure settings than those you have chosen. 

However, for initiating SSL transfers locally, you have several options for switching to updated certificates. You can create a separate XCOM_CONFIG_SSL dataset which points to the NEW certificates. This XCOM_CONFIG_SSL dataset can be specified using the default value of XCOM_CONFIG_SSL in the server's CONFIG member. It can also be specified (overridden) for all transfers to a SPECIFIC REMOTE TCP/IP address (via an XCOM DEST member). You can also override this SSL configuration dataset setting for INDIVIDUAL TRANSFERS via the XCOM_CONFIG_SSL SYSIN01 parameter. This provides a means to configure SSL transfers with the lowest possible level of granularity, 
while providing reasonable defaults by server or remote destination. 

That is the configuration methodology for all LOCALLY initiated SSL transfers. 

This design has served our customers well, and provides a means to migrate smoothly, putting the responsibility for overrides in the hands of the user who INITIATES the transfers while protecting the listening server from unwanted connections.

Now, it is also possible, per the IBM documentation, to renew expiring certificates while keeping the same Private Key or changing the Private Key. Here are the links that provides that information:
 
To renew with same key: 

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha700/rensk.htm 

To renew with new key: 

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha700/rennk.htm 

*** Please note that certificate management should and need to be managed by the sites Security Administrators.  
Additional Information:
The above links are related to IBM's RACF. Here are some links related to the resetting/renew of certificates with CA Top Secret.

https://comm.support.ca.com/kb/is-there-a-command-that-resets-an-expiration-date-on-a-digital-certificate/kb000013320
https://comm.support.ca.com/kb/how-to-replace-an-expiring-user-digital-certificate-signed-by-local-certificate-authority/kb000052804

Before proceeding, you may want to contact your Security Administrator or contact CA Top Secret, CA ACF2, or IBM RACF Support.