OA46452: HOD CLIENT IS USING CERTIFICATE THAT IS EXPIRED EVEN THOUGH A NEWER CERTIFICATE IS AVAILABLE

APAR status

• Closed as program error.

Error description

• When accessing the HOD client and starting an SSL session, the
  client receives a com 666 indicating the certificate has
  expired.  There is a new certificate, but the client tried to
  use the expired certificate by default.  It seems the browser
  uses the expiried one by default, so the user cannot connect.
  

Local fix

• Delete the expired certificate in the browser in order to use
  the newer certificate.
  

Problem summary

• The HOD session, when configured to use MSIE browser's keyring
  for SSL, fails to connect if valid and expired certificates of
  the intermediate CA are both present in the browser's keyring.
  When the server's SSL certificate is signed by an intermediate
  CA and the CA certificates are present in the client MSIE
  browser's keyring, the connection failure occurs if an
  older/expired certificate of the intermediate CA is also
  present in the keyring.
  Once the expired certificate of intermediate CA is removed and
  only the valid certificates are present in the MSIE browser's
  keyring, the HOD session connects fine.
  When the valid and the expired intermediate CA certificates are
  present in the MSIE browser's keyring, the SSLite library used
  by HOD gives preference to the older/expired certificate while
  verifying the server's certificate. As a result, Server
  certificate is considered as expired/invalid and session
  connection fails.
  

Problem conclusion

• SSL library has been fixed to address the issue.
  Fix scheduled for HOD 11.0.12 Refresh Pack
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Modules/Macros

• sslite
  

Fix information

• Fixed component name

  HOD MVS

• Fixed component ID

  5733A5900

Applicable component levels

• RB0B PSY

     UP