IBM z/OSMF

IBM z/OSMF

IBM z/OSMF

The IBM z/OS Management Facility framework improves programmer productivity by using simplified, streamlined and automated tasks. This easier-to-use functionality reduces both programmer training time and the learning curve.

 View Only

How to fix expired self-signed certificate issues for z/OSMF

By ZHI LI posted Tue June 20, 2023 05:18 AM

  

If you got a certificate expired warning or error when using z/OSMF, you would need to work with your security administrator to renew z/OSMF server certificate. This blog introduces how to renew self-signed CA and server certificates for z/OSMF server. It's recommended to renew the certificates before they get expired. Same steps also apply after the certificates get expired though.

The IZUSEC sample job shipped in V2R5 and earlier releases has a default cert expiring date on 2023/05/17 for self-signed CA and server certificates. A lot of people are experiencing z/OSMF certificate expired issues after that date. If you want to fix the CA and server certificate expired issues, without changing z/OSMF PARMLIB configurations, you have 3 options -
1.    Delete existing expired certificates and recreate all certificates using the same commands in the IZUSEC sample job which was submitted last time, with a new expiring date in the future.
2.    Keep existing expired certificates but rekey the expired certs with new expiring dates.
3.    Keep existing expired certificates, not changing any private keys, just extend the expiration dates.
 
I would recommend option 3 since it has the least impact to all applications running on top of z/OSMF. Here are the instructions for option 3, which takes only 4 steps.
 
1.    Create a renew request of the CA certificate。In the sample command below, the dataset IBMUSER.ZOSMFCA.RENEW will contain the request. The label name -  "zOSMFCA" is the default name of the CA label in IZUSEC.
RACDCERT CERTAUTH GENREQ(LABEL('zOSMFCA')) DSN('IBMUSER.ZOSMFCA.RENEW')
2.    Submit the renew request, with a new expiring date 2039/05/17. You can customize the expiring date if needed.
RACDCERT CERTAUTH GENCERT('IBMUSER.ZOSMFCA.RENEW') SIGNWITH(CERTAUTH LABEL('zOSMFCA')) NOTAFTER(DATE(2039/05/17))
3.    Create the renew request for the server certificate. In my sample, the dataset IBMUSER.ZOMSFCA.RENEW2 will contain the request. The server certificate label name is DefaultzOSMFCert.IZUDFLT which is the default label name used in IZUSEC.
RACDCERT ID(IZUSVR) GENREQ(LABEL('DefaultzOSMFCert.IZUDFLT')) DSN('IBMUSER.ZOSMFCA.RENEW2')
4.    Submit the renew request, signing with the CA certificate we just renewed in step 2. With an expiring date 2023/05/17. If you have customized the expiring date above, you will also need to change the expiring date here. Make sure the expiration date of the server certificate is no later than the expiration date of the CA certificate.
RACDCERT ID(IZUSVR) GENCERT('IBMUSER.ZOSMFCA.RENEW2') SIGNWITH(CERTAUTH LABEL('zOSMFCA')) NOTAFTER(DATE(2039/05/17))

After submitting the commands above, restart z/OSMF to make the change be effective. 

Disclaimer: 
1.    This document intends to represent the views of the author rather than IBM. 
2.    The recommended solutions are not guaranteed, please contact the author lilzhi@cn.ibm.com instead of IBM service for any questions.

0 comments
24 views

Permalink

https://community.ibm.com/community/user/blogs/zhi-li1/2023/06/20/how-to-fix-expired-self-signed-certificate-issues