Question & Answer
Question
How to check the expiration dates of the TWS z/OS default certificates.
Cause
default certificates need to be renewed by December 10, 2013
Answer
The default SSL certificates TWS provides have an expiration date set on the 10 Feb. 2014. TWS for z/OS connects those certificates to the default keyring called EQQRING. If that date is reached without renewing the certificates you could experience connection problems for the TWS for z/OS features, such as:
- Z centric;
- Cross dependencies;
- Dynamic scheduling.
The problem occurs on the TWS for z/OS releases 8.5.1 and 8.6 and only if the HTTPS protocol is used and only if the default certificates provided as part of the TWSz product package are used. The goal of this tech. note is that of explaining how to check the expiration dates of the TWS default certificates.
Note: For complete information concerning default certificates see technote 1628601:
http://www-01.ibm.com/support/docview.wss?uid=swg21628601
Procedure:
To be able to perform the procedure steps, so to browse the certificates content, you need to have the RACF SPECIAL attribute or sufficient authority to the IRR.DIGTCERT.LIST resource in the FACILITY class for your intended purpose. More in detail:
Access level Purpose
READ List your own certificate.
UPDATE List another user's certificate.
CONTROL List SITE or CERTAUTH certificates.
Check the following link to have more information about such kind of rights assignment:
http://pic.dhe.ibm.com/infocenter/zos/v1r12/index.jsp?topic=%2Fcom.ibm.zos.r12.icha700%2Fcracd.htm
Provided that, run the following procedure:
1) Access the RACF ISPF PANEL. Select the "DIGITAL CERTIFICATES, KEY RINGS, AND TOKENS" option
2) Select "Key Ring Functions"
3) Enter the name of the user running the TWS for z/OS controller in the "For User" field and select the "List existing key ring(s)" option
4) Provided you are are in the default SSL configuration, type EQQRING in the field asking for the name of the key ring to be listed. The result
Will be something similar to the following one:
Certificate Label Name Cert Owner USAGE DEFAULT
-------------------------------- ----------- -------- --------
EQQCERCL ID(RACFID2) PERSONAL YES
EQQCERSR ID(RACFID2) CERTAUTH NO
Keep track of the "Certificates Label Names".
5) Return to the "Digital Certificates and Related Functions" menu and select the "Digital Certificate Functions" option
6) In the following menu select the " Add, Alter, Delete, or List certificates.........." option
7) Fill the "(User ID)" field with the name of the RACF user running the TWS for z/OS controller. After that select the "List a certificate using a filter and ....." option
8) In the "List by Label(in quotes)" field specify the label values obtained running step (4), and select the related menu option. The result will be something similar to:
Label:EQQCERSR
Certificate ID:2QfZwcPGycTyxdjYw8XZ4tlA
Status:TRUST
Start Date:2005/11/24 14:43:16
End Date: 2014/02/10 14:43:16
Serial Number:4385C374
Issuer's Name:CN=Server.OU=TWS.O=IBM.C=US
Subject's Name:CN=Server.OU=TWS.O=IBM.C=US
The End Date value represents the certificate expiration date.
Related Information
[{"Product":{"code":"SSRULV","label":"IBM Workload Scheduler for z\/OS"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"--","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"All Versions;Version Independent","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]
Was this topic helpful?
Document Information
Modified date:
13 September 2019
UID
swg21653111