Thanks, Dana, That helps with part of my confusion. On the SMP/E side of it, I was just looking for confirmation that I hadn't missed anything blatant. We use the HTTPS method of downloading, and I have the appropriate cert in my RACF database.
What about things like tapetools? Do I need to be concerned whether my TS7760 libraries or my DS8910F disk arrays have these certs embedded in them in order to send diagnostic information to IBM (if needed)? I have no visibility into this hardware to see if they're compatible or not. Rex -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Dana Mitchell Sent: Friday, June 2, 2023 11:23 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [EXTERNAL] Re: IBM download server root CA change On Fri, 2 Jun 2023 15:55:47 +0000, Pommier, Rex <rpomm...@sfgmembers.com> wrote: >Hi list, > >I'm a bit perplexed about this certificate change. Kurt gave us ample warning >about the SMP/E changes (thanks, Kurt). I also got a red alert telling me of >the impending change. In addition, I got an e-mail earlier this week from the >tapetools folks telling us that TT will start using the new cert next week. >The link in the TT e-mail showed various IBM entities implementing the new >cert over the next several months. Here's where my confusion comes from. >What - if anything - do I need to do with this? Looking at the cert in my >RACF database, it shows a start date of August 2013 - almost 10 years ago. >Am I missing something obvious that is a recent update or is IBM just being >extremely cautious with this change? > IBM is changing the root and intermediate certificate authorities that sign their certificates. According to this page: https://urldefense.com/v3/__https://www.ibm.com/support/pages/node/6997317__;!!KjMRP1Ixj6eLE0Fj!u8szv-ppSBEuT7-ZagMLAw7OckQeSOLrwr-dloAfDmKUoSseJ-2PW4c6cj_nOoFYflOPj0cDKjl2jtYTDpRT$ you may not have to do anything: If you use the HTTPS download method and your certificate authority (CA) certificates are managed by the default z/OS Java truststore, then no action is required. For example, if your CLIENT XML input for the SMP/E RECEIVE command or the GIMGTPKG service routine contains the following, then no action is required: <CLIENT downloadmethod=”https” downloadkeyring=”javatruststore” javahome="/usr/lpp/java/J8.0" > </CLIENT> No action is required because the DigiCert Global Root G2 certificate is already defined in the default Java truststore. However, if you use the FTPS download method, or if you choose to manage certificate authority (CA) root certificates in your z/OS security manager, then continue reading to learn about the actions you must take. If that's not the case for your site, the page goes on to show detailed RACF commands to determine if you have the required root and intermediate certificates in your RACF database. Dana ---------------------------------------------------------------------- ---------------------------------------------------------------------- The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
