Re: Please Read: Server Certificates Expiring - Soon!

2018-01-23 Thread Vince Getgood 
Thanks.
That's it.  I hadn't realised the global cert had to be attached to the 
SMPEKeyring.

Sorry!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Please Read: Server Certificates Expiring - Soon!

2018-01-23 Thread Kurt Quackenbush 

On 1/23/2018 7:13 AM, Vince Getgood wrote:

I have that in a different keyring - always have had, and it's always worked 
before.

In my SMP/e ORDERSRVR data: -

keyring="userid/SMPEKeyring"
certificate="SMPE Client Certificate"

in my FTP data options: -

KEYRING   IBMUSER/FtpSecur

(don't blame me, this is the way it was set up when I got here!)


Nope.  The keyring identified in the  must contain the 
certificate you request and download from Shopz, *AND* the appropriate 
certificate authority certificates for the order servers.  As of today, 
that should include both the GeoTrust and the DigiCert CA certs.


The keyring you identify in your FTP.DATA file only needs to contain the 
appropriate CA certificate for the download server.  As of today, that 
is the GeoTrust CA.


However, rather than identify a specific keyring in your FTP.DATA file, 
and worry about which CA certs are connected to that keyring, I 
recommend you use this to tell the ftp client to use as necessary any 
and all CA certificates in your security data base:


keyring *AUTH*/*

Kurt Quackenbush -- IBM, SMP/E Development

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Please Read: Server Certificates Expiring - Soon!

2018-01-23 Thread Vince Getgood 
I have that in a different keyring - always have had, and it's always worked 
before.

In my SMP/e ORDERSRVR data: -

keyring="userid/SMPEKeyring"
certificate="SMPE Client Certificate"

in my FTP data options: -

KEYRING   IBMUSER/FtpSecur

(don't blame me, this is the way it was set up when I got here!)

Thanks.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Please Read: Server Certificates Expiring - Soon!

2018-01-23 Thread Elardus Engelbrecht 
Vince Getgood wrote:

>I spoke too soon!

;-)

>I've added it to the keyring we use for smp/e recieves: -

>Certificate Label NameCert Owner   USAGE   DEFAULT 
>  ---  
> GeoTrust Global CACERTAUTH CERTAUTHYES
> DigiCert Global Root CA   CERTAUTH CERTAUTHNO 

Where is Cert nr 3? The one which you request from the zShop website?

You need to download that and then add that to your KeyRing.


>What have I missed?

You probably missed Cert nr 3 which you should receive from IBM in a PKCS #12 
format.

My ring (the 'One Ring to Rule Them all' ;-D ) is looking like this one (I like 
to use the CA names just as they are distributed.)

Ring:  >...<
Certificate Label Name Cert Owner USAGE  DEFAULT
         ---
.. ID(.)  CERTAUTH NO   
DigiCert Global Root CACERTAUTH   CERTAUTH NO   
GeoTrust GlobalCERTAUTH   CERTAUTH NO   

HTH!

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Please Read: Server Certificates Expiring - Soon!

2018-01-23 Thread Vince Getgood 
I spoke too soon!
I've followed the steps on the flash, and my RACF database shows: -

Label:DigiCert Global Root CA  
Certificate ID:2QiJmZmDhZmjgcSJh4nDhZmjQMeTloKBk0DZlpajQMPB
Status:TRUST   
Start Date:2006/11/10 00:30:00 
End Date:  2031/11/10 00:30:00 
Serial Number:083BE056904246B1A1756AC95991C74A 

Issuer's Name:CN=DigiCert Global Root CA.OU=www.digicert.com.O=DigiCert 
Inc.C=US

I've added it to the keyring we use for smp/e recieves: -

Ring:  
 FtpSecur  
   
   
   
   
Certificate Label NameCert Owner   USAGE   DEFAULT 
  ---  
 GeoTrust Global CACERTAUTH CERTAUTHYES
 DigiCert Global Root CA   CERTAUTH CERTAUTHNO 

I've refreshed DIGTCERT & DIGTRING - but my recieve still fails, telling me the 
certificate isn't trusted: -

javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building 
failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl 
could not build a valid CertPath.; 
internal cause is: java.security.cert.CertPathValidatorException: 
The certificate issued by CN=DigiCert Global Root CA, OU=www.digicert.com, 
O=DigiCert Inc, C=US is not trusted; 

What have I missed?

TIA

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Please Read: Server Certificates Expiring - Soon!

2018-01-23 Thread Vince Getgood 
Excellent.  Thanks for that.  It worked for me.

They obviously didn't want to make it easy!!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Please Read: Server Certificates Expiring - Soon!

2018-01-23 Thread Elardus Engelbrecht 
Vince Getgood wrote:

>ok, stupid question time.

It is not a stupid question! Like with many others, this is can be sometimes a 
struggle!

>I've not done this before.  I'm attempting to follow the instructions in the 
>flash document, but fall at the first hurdle...
>How, exactly, do I "download" the certificate to my workstation?  

Look at Alva Nim's kind reply to the thread 'Re: Update: Server Certificates 
Expiring - Sooner!'.

(Watch the subject which is somewhat different to this thread.)
 
HTH!

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Please Read: Server Certificates Expiring - Soon!

2018-01-23 Thread Vince Getgood 
ok, stupid question time.

I've not done this before.  I'm attempting to follow the instructions in the 
flash document, but fall at the first hurdle...

How, exactly, do I "download" the certificate to my workstation?  

I tried to copy the text at the link and pasted to a .txt document, but when I 
binary FTP the resultant file up to my z/OS system, and then try to add it to 
the RACF database, I get: -

IRRD104I The input data set does not contain a valid certificate.

Which suggests to me that something went wrong in the copy / ftp process.

What's the correct method?  (yes, the file on my z/OS system is LRECL 256, and 
RECFM VB)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Please Read: Server Certificates Expiring - Soon!

2018-01-17 Thread Cieri, Anthony 

Please pardon the interruption for a brief comment. 

In case it is not completely obvious, the Digicert acquisition of the  
Geotrust CA also affects Verisign certificates. We have already encountered 
this issue (last week) with another business partner that used a certificate 
signed by a Verisign CA. When they renewed their cert, it was now signed by a 
Digicent CA, thus requiring us to ADD a new CA certificate in order to maintain 
the sessions.

If you or a business partner are using Verisign certs, you might see 
this issue again..

Hth
Tony

 

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Tom Conley
Sent: Tuesday, January 16, 2018 7:48 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Please Read: Server Certificates Expiring - Soon!

On 1/16/2018 4:21 PM, John Eells wrote:
> Tom Conley wrote:
>> On 1/16/2018 2:47 PM, John Eells wrote:
>>> Jousma, David wrote:
>>>> WSC has published!
>>>> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/FLASH1
>>>> 0884
>>>
>>> Indeed, and you beat me to it!  Many thanks for Kurt Quackenbush for 
>>> writing it, and Riaz Ahmad for getting it formatted as a Flash and 
>>> getting it posted to the WSC's website.
>>>
>>
>> I've only had the problem since 1/11/18.  Good to know the alert is 
>> out
>> 5 days later, g...
>>
> 
> The storied West Point and Officer's Candidate School response to "Why 
> did you make that mistake?" is appropriate here: "No excuse, sir."
> 
> On behalf of IBM, I apologize to all for the late notification.
> 
> Going forward, we are trying hard to make sure we understand and 
> communicate all the impacts as rapidly as we can.  The team that 
> maintains the servers will probably replace the server certificates 
> that expire in May some time in April.  Thus far, we know of no 
> impacts before April, but that's not yet any guarantee there will be 
> none before that date.
> 

The moral of the story is to update your CA certs ASAP per the instructions in 
the Alert.  I followed the directions to reinstall the new CA cert and viola!  
RECEIVE ORDER began to work again, as if by magic!

Regards,
Tom Conley

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [EXTERNAL] Re: Please Read: Server Certificates Expiring - Soon!

2018-01-17 Thread Sankaranarayanan, Vignesh 
Is there a way to subscribe to TechDocs?
Some of them are really fun to read.

A feed to https://www-03.ibm.com/support/techdocs/atsmastr.nsf/Web/TD-ByDate 
would be great! Can be made a part of the 'My Notifications' maybe..?

– Vignesh
Mainframe Infrastructure

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Jousma, David
Sent: 16 January 2018 19:17
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Re: Please Read: Server Certificates Expiring - Soon!

WSC has published!  
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/FLASH10884

_
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President david.jou...@53.com
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H p 616.653.8429 f 616.653.2717


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of John Eells
Sent: Monday, January 15, 2018 8:59 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Please Read: Server Certificates Expiring - Soon!

**CAUTION EXTERNAL EMAIL**

**DO NOT open attachments or click on links from unknown senders or unexpected 
emails**

Last week, one of the RECEIVE ORDER server certificates expired.  The other IBM 
servers you use for getting products and service, and those for the testcase, 
ecurep, and Blue Diamond servers will also expire over the next several months.

Normally, impending expiration is not be a big deal; IBM just gets new 
certificates ahead of the expiration dates, and you never notice.
However, as I understand it, DigiCert acquired GeoTrust.  All the IBM server 
certificates in question are GeoTrust certificates.  There is rather more to 
the story, but the net is that IBM will replace all its GeoTrust certificates 
with new ones from DigiCert.  This has already been done for one RECEIVE ORDER 
server, eccgw02.rochester.ibm.com.  The GeoTrust CA certificate will no longer 
work with this server.

To continue to use the servers as the certificates are replaced with new ones 
from DigiCert, you will need to get and install a new DigiCert Global Root CA 
certificate.

If you use the eccgw02.rochester.ibm.com RECEIVE order server, you can buy some 
time by using eccgw01.boulder.ibm.com instead until you get the new CA 
certificate.

Look for a WSC Flash later today (I hope) with more-detailed information and 
instructions.  We will update it as we learn more, but the next deadline is 
some time in April, when we are likely to replace additional server 
certificates.  As I understand it, they must all be done by August.

We believe the required action, to get and install a new DigiCert Global Root 
CA certificate, will not change.  My recommendation is that you start the 
process to do that soon so that you do not lose access to the IBM servers.

--
John Eells
IBM Poughkeepsie
ee...@us.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN **CAUTION EXTERNAL 
EMAIL**

**DO NOT open attachments or click on links from unknown senders or unexpected 
emails**

This e-mail transmission contains information that is confidential and may be 
privileged.   It is intended only for the addressee(s) named above. If you 
receive this e-mail in error, please do not read, copy or disseminate it in any 
manner. If you are not the intended recipient, any disclosure, copying, 
distribution or use of the contents of this information is prohibited. Please 
reply to the message immediately by informing the sender that the message was 
misdirected. After replying, please erase it from your computer system. Your 
assistance in correcting this error is appreciated.


--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

MARKSANDSPENCER.COM

 Unless otherwise stated above:
Marks and Spencer plc
Registered Office:
Waterside House
35 North Wharf Road
London
W2 1NW

Registered No. 214436 in England and Wales.

Telephone (020) 7935 4422
Facsimile (020) 7487 2670

www.marksandspencer.com

Please note that electronic mail may be monitored.

This e-mail is confidential. If you received it by mistake, please let us know 
and then delete it from your system; you should not copy, disclose, or 
distribute its contents to anyone nor act in reliance on this e-mail, as this 
is prohibited and may be unlawful.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Please Read: Server Certificates Expiring - Soon!

2018-01-16 Thread Tom Conley 

On 1/16/2018 4:21 PM, John Eells wrote:

Tom Conley wrote:

On 1/16/2018 2:47 PM, John Eells wrote:

Jousma, David wrote:

WSC has published!
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/FLASH10884


Indeed, and you beat me to it!  Many thanks for Kurt Quackenbush for
writing it, and Riaz Ahmad for getting it formatted as a Flash and
getting it posted to the WSC's website.



I've only had the problem since 1/11/18.  Good to know the alert is out
5 days later, g...



The storied West Point and Officer's Candidate School response to "Why 
did you make that mistake?" is appropriate here: "No excuse, sir."


On behalf of IBM, I apologize to all for the late notification.

Going forward, we are trying hard to make sure we understand and 
communicate all the impacts as rapidly as we can.  The team that 
maintains the servers will probably replace the server certificates that 
expire in May some time in April.  Thus far, we know of no impacts 
before April, but that's not yet any guarantee there will be none before 
that date.




The moral of the story is to update your CA certs ASAP per the 
instructions in the Alert.  I followed the directions to reinstall the 
new CA cert and viola!  RECEIVE ORDER began to work again, as if by magic!


Regards,
Tom Conley

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Please Read: Server Certificates Expiring - Soon!

2018-01-16 Thread John Eells 

Tom Conley wrote:

On 1/16/2018 2:47 PM, John Eells wrote:

Jousma, David wrote:

WSC has published!
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/FLASH10884


Indeed, and you beat me to it!  Many thanks for Kurt Quackenbush for
writing it, and Riaz Ahmad for getting it formatted as a Flash and
getting it posted to the WSC's website.



I've only had the problem since 1/11/18.  Good to know the alert is out
5 days later, g...



The storied West Point and Officer's Candidate School response to "Why 
did you make that mistake?" is appropriate here: "No excuse, sir."


On behalf of IBM, I apologize to all for the late notification.

Going forward, we are trying hard to make sure we understand and 
communicate all the impacts as rapidly as we can.  The team that 
maintains the servers will probably replace the server certificates that 
expire in May some time in April.  Thus far, we know of no impacts 
before April, but that's not yet any guarantee there will be none before 
that date.


--
John Eells
IBM Poughkeepsie
ee...@us.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Please Read: Server Certificates Expiring - Soon!

2018-01-16 Thread Charles Mills 
Mmm, we all do what we can.

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
Behalf Of Edward Gould
Sent: Tuesday, January 16, 2018 11:56 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Please Read: Server Certificates Expiring - Soon!


Charles,
could have used this a couple of years ago.
Ed
--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Please Read: Server Certificates Expiring - Soon!

2018-01-16 Thread Tom Conley 

On 1/15/2018 8:58 AM, John Eells wrote:
Last week, one of the RECEIVE ORDER server certificates expired.  The 
other IBM servers you use for getting products and service, and those 
for the testcase, ecurep, and Blue Diamond servers will also expire over 
the next several months.


Normally, impending expiration is not be a big deal; IBM just gets new 
certificates ahead of the expiration dates, and you never notice. 
However, as I understand it, DigiCert acquired GeoTrust.  All the IBM 
server certificates in question are GeoTrust certificates.  There is 
rather more to the story, but the net is that IBM will replace all its 
GeoTrust certificates with new ones from DigiCert.  This has already 
been done for one RECEIVE ORDER server, eccgw02.rochester.ibm.com.  The 
GeoTrust CA certificate will no longer work with this server.


To continue to use the servers as the certificates are replaced with new 
ones from DigiCert, you will need to get and install a new DigiCert 
Global Root CA certificate.


If you use the eccgw02.rochester.ibm.com RECEIVE order server, you can 
buy some time by using eccgw01.boulder.ibm.com instead until you get the 
new CA certificate.


Look for a WSC Flash later today (I hope) with more-detailed information 
and instructions.  We will update it as we learn more, but the next 
deadline is some time in April, when we are likely to replace additional 
server certificates.  As I understand it, they must all be done by August.


We believe the required action, to get and install a new DigiCert Global 
Root CA certificate, will not change.  My recommendation is that you 
start the process to do that soon so that you do not lose access to the 
IBM servers.




This should not have been done without prior notice.  I wasted many 
hours trying to figure out what the error was here.  It did not help 
that I installed new Java maintenance on 1/9, and then the cert expired 
on 1/11, and then the alert was issued today.  We deserve better from IBM.


Regards,
Tom Conley

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Please Read: Server Certificates Expiring - Soon!

2018-01-16 Thread Tom Conley 

On 1/16/2018 2:47 PM, John Eells wrote:

Jousma, David wrote:
WSC has published!  
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/FLASH10884


Indeed, and you beat me to it!  Many thanks for Kurt Quackenbush for 
writing it, and Riaz Ahmad for getting it formatted as a Flash and 
getting it posted to the WSC's website.




I've only had the problem since 1/11/18.  Good to know the alert is out 
5 days later, g...


Regards,
Tom Conley

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Please Read: Server Certificates Expiring - Soon!

2018-01-16 Thread Chicklon, Thomas 
For Top Secret shops, the TSS commands are:

Add to CERTAUTH:
tss add(certauth) digicert(DigiGRCA) +  
dcdsn(cert.certauth.digigrca)+  
lablcert('DigiCert Global Root CA')  +  
trust target(=) 

And for each SMPE user:
tss add(userid) keyring(SMPRing) +  
ringdata(certauth,DigiGRCA)  +  
usage(certauth) target(=)   


Tom Chicklon
Lead Systems Programmer
Information Technology – Mainframe Engineering
Fifth Third Bank
thomas.chick...@53.com

---

Jousma, David wrote:
> WSC has published!  
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/FLASH10884

Indeed, and you beat me to it!  Many thanks for Kurt Quackenbush for writing 
it, and Riaz Ahmad for getting it formatted as a Flash and getting it posted to 
the WSC's website.

--

This e-mail transmission contains information that is confidential and may be 
privileged.   It is intended only for the addressee(s) named above. If you 
receive this e-mail in error, please do not read, copy or disseminate it in any 
manner. If you are not the intended recipient, any disclosure, copying, 
distribution or use of the contents of this information is prohibited. Please 
reply to the message immediately by informing the sender that the message was 
misdirected. After replying, please erase it from your computer system. Your 
assistance in correcting this error is appreciated.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Please Read: Server Certificates Expiring - Soon!

2018-01-16 Thread Edward Gould 
> On Jan 15, 2018, at 9:05 AM, Charles Mills  wrote:
> 
> May I hijack this thread to say that if you find the whole certificate thing 
> somewhere between mysterious and annoying, let me suggest three sessions at 
> SHARE, coming up in less than two months in Sacramento. Our goal for the 
> sessions is to take away the mystery and thereby perhaps make certificates 
> less annoying.
> 
> Monday, March 12, 4:30 PM - 5:30 PM
> Digital Certificates -- How they Really Work, Part 1 of 3
>Room: Room 304/305
>Session Number: 21967
>Speaker: Charles Mills
> 
> Tuesday, March 13, 11:15 AM - 12:15 PM
> Digital Certificates - Real-World Usage on z/OS, Part 2 of 3
>Room: Regency B
>Session Number: 22476
>Speaker: Phil Smith III
> 
> Tuesday, March 13, 4:30 PM - 5:30 PM
> Digital Certificates - Lifecycle Managment on z/OS, Part 3 of 3
>Room: Room 304/305
>Session Number: 22470
>Speaker: Ross Cooper
> 
> Charles

Charles, 
could have used this a couple of years ago.
Ed
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Please Read: Server Certificates Expiring - Soon!

2018-01-16 Thread John Eells 

Jousma, David wrote:

WSC has published!  
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/FLASH10884


Indeed, and you beat me to it!  Many thanks for Kurt Quackenbush for 
writing it, and Riaz Ahmad for getting it formatted as a Flash and 
getting it posted to the WSC's website.


--
John Eells
IBM Poughkeepsie
ee...@us.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Please Read: Server Certificates Expiring - Soon!

2018-01-16 Thread Jousma, David 
WSC has published!  
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/FLASH10884

_
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President
david.jou...@53.com
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H
p 616.653.8429
f 616.653.2717


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of John Eells
Sent: Monday, January 15, 2018 8:59 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Please Read: Server Certificates Expiring - Soon!

**CAUTION EXTERNAL EMAIL**

**DO NOT open attachments or click on links from unknown senders or unexpected 
emails**

Last week, one of the RECEIVE ORDER server certificates expired.  The other IBM 
servers you use for getting products and service, and those for the testcase, 
ecurep, and Blue Diamond servers will also expire over the next several months.

Normally, impending expiration is not be a big deal; IBM just gets new 
certificates ahead of the expiration dates, and you never notice. 
However, as I understand it, DigiCert acquired GeoTrust.  All the IBM server 
certificates in question are GeoTrust certificates.  There is rather more to 
the story, but the net is that IBM will replace all its GeoTrust certificates 
with new ones from DigiCert.  This has already been done for one RECEIVE ORDER 
server, eccgw02.rochester.ibm.com.  The GeoTrust CA certificate will no longer 
work with this server.

To continue to use the servers as the certificates are replaced with new ones 
from DigiCert, you will need to get and install a new DigiCert Global Root CA 
certificate.

If you use the eccgw02.rochester.ibm.com RECEIVE order server, you can buy some 
time by using eccgw01.boulder.ibm.com instead until you get the new CA 
certificate.

Look for a WSC Flash later today (I hope) with more-detailed information and 
instructions.  We will update it as we learn more, but the next deadline is 
some time in April, when we are likely to replace additional server 
certificates.  As I understand it, they must all be done by August.

We believe the required action, to get and install a new DigiCert Global Root 
CA certificate, will not change.  My recommendation is that you start the 
process to do that soon so that you do not lose access to the IBM servers.

--
John Eells
IBM Poughkeepsie
ee...@us.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN **CAUTION EXTERNAL 
EMAIL**

**DO NOT open attachments or click on links from unknown senders or unexpected 
emails**

This e-mail transmission contains information that is confidential and may be 
privileged.   It is intended only for the addressee(s) named above. If you 
receive this e-mail in error, please do not read, copy or disseminate it in any 
manner. If you are not the intended recipient, any disclosure, copying, 
distribution or use of the contents of this information is prohibited. Please 
reply to the message immediately by informing the sender that the message was 
misdirected. After replying, please erase it from your computer system. Your 
assistance in correcting this error is appreciated.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Please Read: Server Certificates Expiring - Soon!

2018-01-15 Thread Charles Mills 
May I hijack this thread to say that if you find the whole certificate thing 
somewhere between mysterious and annoying, let me suggest three sessions at 
SHARE, coming up in less than two months in Sacramento. Our goal for the 
sessions is to take away the mystery and thereby perhaps make certificates less 
annoying.

Monday, March 12, 4:30 PM - 5:30 PM
Digital Certificates -- How they Really Work, Part 1 of 3
Room: Room 304/305
Session Number: 21967
Speaker: Charles Mills

Tuesday, March 13, 11:15 AM - 12:15 PM
Digital Certificates - Real-World Usage on z/OS, Part 2 of 3
Room: Regency B
Session Number: 22476
Speaker: Phil Smith III

Tuesday, March 13, 4:30 PM - 5:30 PM
Digital Certificates - Lifecycle Managment on z/OS, Part 3 of 3
Room: Room 304/305
Session Number: 22470
Speaker: Ross Cooper

Charles

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of John Eells
Sent: Monday, January 15, 2018 5:59 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Please Read: Server Certificates Expiring - Soon!

Last week, one of the RECEIVE ORDER server certificates expired.  The other IBM 
servers you use for getting products and service, and those for the testcase, 
ecurep, and Blue Diamond servers will also expire over the next several months.

Normally, impending expiration is not be a big deal; IBM just gets new 
certificates ahead of the expiration dates, and you never notice. 
However, as I understand it, DigiCert acquired GeoTrust.  All the IBM server 
certificates in question are GeoTrust certificates.  There is rather more to 
the story, but the net is that IBM will replace all its GeoTrust certificates 
with new ones from DigiCert.  This has already been done for one RECEIVE ORDER 
server, eccgw02.rochester.ibm.com.  The GeoTrust CA certificate will no longer 
work with this server.

To continue to use the servers as the certificates are replaced with new ones 
from DigiCert, you will need to get and install a new DigiCert Global Root CA 
certificate.

If you use the eccgw02.rochester.ibm.com RECEIVE order server, you can buy some 
time by using eccgw01.boulder.ibm.com instead until you get the new CA 
certificate.

Look for a WSC Flash later today (I hope) with more-detailed information and 
instructions.  We will update it as we learn more, but the next deadline is 
some time in April, when we are likely to replace additional server 
certificates.  As I understand it, they must all be done by August.

We believe the required action, to get and install a new DigiCert Global Root 
CA certificate, will not change.  My recommendation is that you start the 
process to do that soon so that you do not lose access to the IBM servers.

--
John Eells
IBM Poughkeepsie
ee...@us.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Please Read: Server Certificates Expiring - Soon!

2018-01-15 Thread John Eells 
Last week, one of the RECEIVE ORDER server certificates expired.  The 
other IBM servers you use for getting products and service, and those 
for the testcase, ecurep, and Blue Diamond servers will also expire over 
the next several months.


Normally, impending expiration is not be a big deal; IBM just gets new 
certificates ahead of the expiration dates, and you never notice. 
However, as I understand it, DigiCert acquired GeoTrust.  All the IBM 
server certificates in question are GeoTrust certificates.  There is 
rather more to the story, but the net is that IBM will replace all its 
GeoTrust certificates with new ones from DigiCert.  This has already 
been done for one RECEIVE ORDER server, eccgw02.rochester.ibm.com.  The 
GeoTrust CA certificate will no longer work with this server.


To continue to use the servers as the certificates are replaced with new 
ones from DigiCert, you will need to get and install a new DigiCert 
Global Root CA certificate.


If you use the eccgw02.rochester.ibm.com RECEIVE order server, you can 
buy some time by using eccgw01.boulder.ibm.com instead until you get the 
new CA certificate.


Look for a WSC Flash later today (I hope) with more-detailed information 
and instructions.  We will update it as we learn more, but the next 
deadline is some time in April, when we are likely to replace additional 
server certificates.  As I understand it, they must all be done by August.


We believe the required action, to get and install a new DigiCert Global 
Root CA certificate, will not change.  My recommendation is that you 
start the process to do that soon so that you do not lose access to the 
IBM servers.


--
John Eells
IBM Poughkeepsie
ee...@us.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN