Question & Answer
Question
We have a site certificate that will expire within a week so we are attempting to install a new certificate to replace the current SITE DEFAULT certificate. The newly generated certificate has been placed into the CICS Keyring and the Keyring has been refreshed within our security manager. We then enter command CEMT PERFORM SSL REBUILD which seems to complete successfully with no error messages. However, when we test with the sample Web Support program by entering the following in a browser:
https://ipaddress:port/CICS/CWBA/DFH$WB1A
then view the certificate with our web browser, it displays the old certificate, which is no longer the default. Can you tell me why it seems as though the SSL REBUILD did not take effect?
Answer
The failing region is making use of a TCPIPSERVICE that uses AT-TLS (SSL=ATTLSAWARE). The PERFORM SSL REBUILD command will not have any effect on AT-TLS.
The procedure to install a new certificate is as follows:
Place the new certificate into the Keyring defined in your AT-TLS policy.
Refresh the Keyring within the security manager.
Change or add an EnvironmentUserInstance value in the policy rule for this CICS traffic.
Enter one of the following Modify commands:
F PAGENT,REFRESH
F PAGENT,UPDATE
Topic AT-TLS errors in the Communication Server documentation discusses this process:
Product Synonym
CICS/TS CICSTS CICS TS CICS Transaction Server
Was this topic helpful?
Document Information
Modified date:
03 February 2017
UID
dwa1353347