z/OS 2.1 IBM Apar OA45324 and SSL Certificates

Document ID : KB000030811
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:  

IBM Apar OA45324 states the following:

With the installation of this PTF, System SSL will no longer 
allow Version 1, Version 2 or Version 3 Intermediate Certificate 
Authority certificates created without the basic constraints 
extension to be validated as untrusted certificates. Untrusted 
certificates are certificates that are provided outside of the 
supported certificate stores that flow during the establishment 
of SSL/TLS secure connections and passed directly by 
applications that perform certificate validation. These 
certificates will continued to be allowed when stored in a 
trusted certificate store (ie. key database file, SAF key ring 
and z/OS PKCS #11 Tokens). 

 

Are there any fixes that need to be applied or any changes that need to be made in Top Secret for SSL certificates with this apar applied? 

 

Answer:

All Top Secret certificates are fine. They are created with 'Basic Constraints' extension.

Top Secret certificates are 'X509v3 Basic Constraints' extension which the apar OA45324 states are fine.  Applying IBM apar OA45324 will have no effect on your certificates created in Top Secret.

You can run the SAF certificate utility SAFCRRPT with 'RECORDID(-) DETAIL EXT' and look for 'X509v3 Basic Constraints'.

Additional Information: 

Link to the CA Top Secret Report and Tracking Guide and the Certificate Utility SAFCRRPT: 

https://support.ca.com/cadocs/0/CA%20Top%20Secret%20%20Security%20for%20z%20OS%20r15-ENU/Bookshelf_Files/PDF/TSS_Report_zOS_ENU.pdf