Re: Please Read: Server Certificates Expiring - Soon!
Thanks. That's it. I hadn't realised the global cert had to be attached to the SMPEKeyring. Sorry! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Please Read: Server Certificates Expiring - Soon!
On 1/23/2018 7:13 AM, Vince Getgood wrote: I have that in a different keyring - always have had, and it's always worked before. In my SMP/e ORDERSRVR data: - keyring="userid/SMPEKeyring" certificate="SMPE Client Certificate" in my FTP data options: - KEYRING IBMUSER/FtpSecur (don't blame me, this is the way it was set up when I got here!) Nope. The keyring identified in the must contain the certificate you request and download from Shopz, *AND* the appropriate certificate authority certificates for the order servers. As of today, that should include both the GeoTrust and the DigiCert CA certs. The keyring you identify in your FTP.DATA file only needs to contain the appropriate CA certificate for the download server. As of today, that is the GeoTrust CA. However, rather than identify a specific keyring in your FTP.DATA file, and worry about which CA certs are connected to that keyring, I recommend you use this to tell the ftp client to use as necessary any and all CA certificates in your security data base: keyring *AUTH*/* Kurt Quackenbush -- IBM, SMP/E Development -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Please Read: Server Certificates Expiring - Soon!
I have that in a different keyring - always have had, and it's always worked before. In my SMP/e ORDERSRVR data: - keyring="userid/SMPEKeyring" certificate="SMPE Client Certificate" in my FTP data options: - KEYRING IBMUSER/FtpSecur (don't blame me, this is the way it was set up when I got here!) Thanks. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Please Read: Server Certificates Expiring - Soon!
Vince Getgood wrote: >I spoke too soon! ;-) >I've added it to the keyring we use for smp/e recieves: - >Certificate Label NameCert Owner USAGE DEFAULT > --- > GeoTrust Global CACERTAUTH CERTAUTHYES > DigiCert Global Root CA CERTAUTH CERTAUTHNO Where is Cert nr 3? The one which you request from the zShop website? You need to download that and then add that to your KeyRing. >What have I missed? You probably missed Cert nr 3 which you should receive from IBM in a PKCS #12 format. My ring (the 'One Ring to Rule Them all' ;-D ) is looking like this one (I like to use the CA names just as they are distributed.) Ring: >...< Certificate Label Name Cert Owner USAGE DEFAULT --- .. ID(.) CERTAUTH NO DigiCert Global Root CACERTAUTH CERTAUTH NO GeoTrust GlobalCERTAUTH CERTAUTH NO HTH! Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Please Read: Server Certificates Expiring - Soon!
I spoke too soon! I've followed the steps on the flash, and my RACF database shows: - Label:DigiCert Global Root CA Certificate ID:2QiJmZmDhZmjgcSJh4nDhZmjQMeTloKBk0DZlpajQMPB Status:TRUST Start Date:2006/11/10 00:30:00 End Date: 2031/11/10 00:30:00 Serial Number:083BE056904246B1A1756AC95991C74A Issuer's Name:CN=DigiCert Global Root CA.OU=www.digicert.com.O=DigiCert Inc.C=US I've added it to the keyring we use for smp/e recieves: - Ring: FtpSecur Certificate Label NameCert Owner USAGE DEFAULT --- GeoTrust Global CACERTAUTH CERTAUTHYES DigiCert Global Root CA CERTAUTH CERTAUTHNO I've refreshed DIGTCERT & DIGTRING - but my recieve still fails, telling me the certificate isn't trusted: - javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; What have I missed? TIA -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Please Read: Server Certificates Expiring - Soon!
Excellent. Thanks for that. It worked for me. They obviously didn't want to make it easy!! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Please Read: Server Certificates Expiring - Soon!
Vince Getgood wrote: >ok, stupid question time. It is not a stupid question! Like with many others, this is can be sometimes a struggle! >I've not done this before. I'm attempting to follow the instructions in the >flash document, but fall at the first hurdle... >How, exactly, do I "download" the certificate to my workstation? Look at Alva Nim's kind reply to the thread 'Re: Update: Server Certificates Expiring - Sooner!'. (Watch the subject which is somewhat different to this thread.) HTH! Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Please Read: Server Certificates Expiring - Soon!
ok, stupid question time. I've not done this before. I'm attempting to follow the instructions in the flash document, but fall at the first hurdle... How, exactly, do I "download" the certificate to my workstation? I tried to copy the text at the link and pasted to a .txt document, but when I binary FTP the resultant file up to my z/OS system, and then try to add it to the RACF database, I get: - IRRD104I The input data set does not contain a valid certificate. Which suggests to me that something went wrong in the copy / ftp process. What's the correct method? (yes, the file on my z/OS system is LRECL 256, and RECFM VB) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Please Read: Server Certificates Expiring - Soon!
Please pardon the interruption for a brief comment. In case it is not completely obvious, the Digicert acquisition of the Geotrust CA also affects Verisign certificates. We have already encountered this issue (last week) with another business partner that used a certificate signed by a Verisign CA. When they renewed their cert, it was now signed by a Digicent CA, thus requiring us to ADD a new CA certificate in order to maintain the sessions. If you or a business partner are using Verisign certs, you might see this issue again.. Hth Tony -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Tom Conley Sent: Tuesday, January 16, 2018 7:48 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Please Read: Server Certificates Expiring - Soon! On 1/16/2018 4:21 PM, John Eells wrote: > Tom Conley wrote: >> On 1/16/2018 2:47 PM, John Eells wrote: >>> Jousma, David wrote: >>>> WSC has published! >>>> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/FLASH1 >>>> 0884 >>> >>> Indeed, and you beat me to it! Many thanks for Kurt Quackenbush for >>> writing it, and Riaz Ahmad for getting it formatted as a Flash and >>> getting it posted to the WSC's website. >>> >> >> I've only had the problem since 1/11/18. Good to know the alert is >> out >> 5 days later, g... >> > > The storied West Point and Officer's Candidate School response to "Why > did you make that mistake?" is appropriate here: "No excuse, sir." > > On behalf of IBM, I apologize to all for the late notification. > > Going forward, we are trying hard to make sure we understand and > communicate all the impacts as rapidly as we can. The team that > maintains the servers will probably replace the server certificates > that expire in May some time in April. Thus far, we know of no > impacts before April, but that's not yet any guarantee there will be > none before that date. > The moral of the story is to update your CA certs ASAP per the instructions in the Alert. I followed the directions to reinstall the new CA cert and viola! RECEIVE ORDER began to work again, as if by magic! Regards, Tom Conley -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: [EXTERNAL] Re: Please Read: Server Certificates Expiring - Soon!
Is there a way to subscribe to TechDocs? Some of them are really fun to read. A feed to https://www-03.ibm.com/support/techdocs/atsmastr.nsf/Web/TD-ByDate would be great! Can be made a part of the 'My Notifications' maybe..? – Vignesh Mainframe Infrastructure -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Jousma, David Sent: 16 January 2018 19:17 To: IBM-MAIN@LISTSERV.UA.EDU Subject: [EXTERNAL] Re: Please Read: Server Certificates Expiring - Soon! WSC has published! http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/FLASH10884 _ Dave Jousma Manager Mainframe Engineering, Assistant Vice President david.jou...@53.com 1830 East Paris, Grand Rapids, MI 49546 MD RSCB2H p 616.653.8429 f 616.653.2717 -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of John Eells Sent: Monday, January 15, 2018 8:59 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Please Read: Server Certificates Expiring - Soon! **CAUTION EXTERNAL EMAIL** **DO NOT open attachments or click on links from unknown senders or unexpected emails** Last week, one of the RECEIVE ORDER server certificates expired. The other IBM servers you use for getting products and service, and those for the testcase, ecurep, and Blue Diamond servers will also expire over the next several months. Normally, impending expiration is not be a big deal; IBM just gets new certificates ahead of the expiration dates, and you never notice. However, as I understand it, DigiCert acquired GeoTrust. All the IBM server certificates in question are GeoTrust certificates. There is rather more to the story, but the net is that IBM will replace all its GeoTrust certificates with new ones from DigiCert. This has already been done for one RECEIVE ORDER server, eccgw02.rochester.ibm.com. The GeoTrust CA certificate will no longer work with this server. To continue to use the servers as the certificates are replaced with new ones from DigiCert, you will need to get and install a new DigiCert Global Root CA certificate. If you use the eccgw02.rochester.ibm.com RECEIVE order server, you can buy some time by using eccgw01.boulder.ibm.com instead until you get the new CA certificate. Look for a WSC Flash later today (I hope) with more-detailed information and instructions. We will update it as we learn more, but the next deadline is some time in April, when we are likely to replace additional server certificates. As I understand it, they must all be done by August. We believe the required action, to get and install a new DigiCert Global Root CA certificate, will not change. My recommendation is that you start the process to do that soon so that you do not lose access to the IBM servers. -- John Eells IBM Poughkeepsie ee...@us.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN **CAUTION EXTERNAL EMAIL** **DO NOT open attachments or click on links from unknown senders or unexpected emails** This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN MARKSANDSPENCER.COM Unless otherwise stated above: Marks and Spencer plc Registered Office: Waterside House 35 North Wharf Road London W2 1NW Registered No. 214436 in England and Wales. Telephone (020) 7935 4422 Facsimile (020) 7487 2670 www.marksandspencer.com Please note that electronic mail may be monitored. This e-mail is confidential. If you received it by mistake, please let us know and then delete it from your system; you should not copy, disclose, or distribute its contents to anyone nor act in reliance on this e-mail, as this is prohibited and may be unlawful. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Please Read: Server Certificates Expiring - Soon!
On 1/16/2018 4:21 PM, John Eells wrote: Tom Conley wrote: On 1/16/2018 2:47 PM, John Eells wrote: Jousma, David wrote: WSC has published! http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/FLASH10884 Indeed, and you beat me to it! Many thanks for Kurt Quackenbush for writing it, and Riaz Ahmad for getting it formatted as a Flash and getting it posted to the WSC's website. I've only had the problem since 1/11/18. Good to know the alert is out 5 days later, g... The storied West Point and Officer's Candidate School response to "Why did you make that mistake?" is appropriate here: "No excuse, sir." On behalf of IBM, I apologize to all for the late notification. Going forward, we are trying hard to make sure we understand and communicate all the impacts as rapidly as we can. The team that maintains the servers will probably replace the server certificates that expire in May some time in April. Thus far, we know of no impacts before April, but that's not yet any guarantee there will be none before that date. The moral of the story is to update your CA certs ASAP per the instructions in the Alert. I followed the directions to reinstall the new CA cert and viola! RECEIVE ORDER began to work again, as if by magic! Regards, Tom Conley -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Please Read: Server Certificates Expiring - Soon!
Tom Conley wrote: On 1/16/2018 2:47 PM, John Eells wrote: Jousma, David wrote: WSC has published! http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/FLASH10884 Indeed, and you beat me to it! Many thanks for Kurt Quackenbush for writing it, and Riaz Ahmad for getting it formatted as a Flash and getting it posted to the WSC's website. I've only had the problem since 1/11/18. Good to know the alert is out 5 days later, g... The storied West Point and Officer's Candidate School response to "Why did you make that mistake?" is appropriate here: "No excuse, sir." On behalf of IBM, I apologize to all for the late notification. Going forward, we are trying hard to make sure we understand and communicate all the impacts as rapidly as we can. The team that maintains the servers will probably replace the server certificates that expire in May some time in April. Thus far, we know of no impacts before April, but that's not yet any guarantee there will be none before that date. -- John Eells IBM Poughkeepsie ee...@us.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Please Read: Server Certificates Expiring - Soon!
Mmm, we all do what we can. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Edward Gould Sent: Tuesday, January 16, 2018 11:56 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Please Read: Server Certificates Expiring - Soon! Charles, could have used this a couple of years ago. Ed -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Please Read: Server Certificates Expiring - Soon!
On 1/15/2018 8:58 AM, John Eells wrote: Last week, one of the RECEIVE ORDER server certificates expired. The other IBM servers you use for getting products and service, and those for the testcase, ecurep, and Blue Diamond servers will also expire over the next several months. Normally, impending expiration is not be a big deal; IBM just gets new certificates ahead of the expiration dates, and you never notice. However, as I understand it, DigiCert acquired GeoTrust. All the IBM server certificates in question are GeoTrust certificates. There is rather more to the story, but the net is that IBM will replace all its GeoTrust certificates with new ones from DigiCert. This has already been done for one RECEIVE ORDER server, eccgw02.rochester.ibm.com. The GeoTrust CA certificate will no longer work with this server. To continue to use the servers as the certificates are replaced with new ones from DigiCert, you will need to get and install a new DigiCert Global Root CA certificate. If you use the eccgw02.rochester.ibm.com RECEIVE order server, you can buy some time by using eccgw01.boulder.ibm.com instead until you get the new CA certificate. Look for a WSC Flash later today (I hope) with more-detailed information and instructions. We will update it as we learn more, but the next deadline is some time in April, when we are likely to replace additional server certificates. As I understand it, they must all be done by August. We believe the required action, to get and install a new DigiCert Global Root CA certificate, will not change. My recommendation is that you start the process to do that soon so that you do not lose access to the IBM servers. This should not have been done without prior notice. I wasted many hours trying to figure out what the error was here. It did not help that I installed new Java maintenance on 1/9, and then the cert expired on 1/11, and then the alert was issued today. We deserve better from IBM. Regards, Tom Conley -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Please Read: Server Certificates Expiring - Soon!
On 1/16/2018 2:47 PM, John Eells wrote: Jousma, David wrote: WSC has published! http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/FLASH10884 Indeed, and you beat me to it! Many thanks for Kurt Quackenbush for writing it, and Riaz Ahmad for getting it formatted as a Flash and getting it posted to the WSC's website. I've only had the problem since 1/11/18. Good to know the alert is out 5 days later, g... Regards, Tom Conley -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Please Read: Server Certificates Expiring - Soon!
For Top Secret shops, the TSS commands are: Add to CERTAUTH: tss add(certauth) digicert(DigiGRCA) + dcdsn(cert.certauth.digigrca)+ lablcert('DigiCert Global Root CA') + trust target(=) And for each SMPE user: tss add(userid) keyring(SMPRing) + ringdata(certauth,DigiGRCA) + usage(certauth) target(=) Tom Chicklon Lead Systems Programmer Information Technology – Mainframe Engineering Fifth Third Bank thomas.chick...@53.com --- Jousma, David wrote: > WSC has published! > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/FLASH10884 Indeed, and you beat me to it! Many thanks for Kurt Quackenbush for writing it, and Riaz Ahmad for getting it formatted as a Flash and getting it posted to the WSC's website. -- This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Please Read: Server Certificates Expiring - Soon!
> On Jan 15, 2018, at 9:05 AM, Charles Millswrote: > > May I hijack this thread to say that if you find the whole certificate thing > somewhere between mysterious and annoying, let me suggest three sessions at > SHARE, coming up in less than two months in Sacramento. Our goal for the > sessions is to take away the mystery and thereby perhaps make certificates > less annoying. > > Monday, March 12, 4:30 PM - 5:30 PM > Digital Certificates -- How they Really Work, Part 1 of 3 >Room: Room 304/305 >Session Number: 21967 >Speaker: Charles Mills > > Tuesday, March 13, 11:15 AM - 12:15 PM > Digital Certificates - Real-World Usage on z/OS, Part 2 of 3 >Room: Regency B >Session Number: 22476 >Speaker: Phil Smith III > > Tuesday, March 13, 4:30 PM - 5:30 PM > Digital Certificates - Lifecycle Managment on z/OS, Part 3 of 3 >Room: Room 304/305 >Session Number: 22470 >Speaker: Ross Cooper > > Charles Charles, could have used this a couple of years ago. Ed -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Please Read: Server Certificates Expiring - Soon!
Jousma, David wrote: WSC has published! http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/FLASH10884 Indeed, and you beat me to it! Many thanks for Kurt Quackenbush for writing it, and Riaz Ahmad for getting it formatted as a Flash and getting it posted to the WSC's website. -- John Eells IBM Poughkeepsie ee...@us.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Please Read: Server Certificates Expiring - Soon!
WSC has published! http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/FLASH10884 _ Dave Jousma Manager Mainframe Engineering, Assistant Vice President david.jou...@53.com 1830 East Paris, Grand Rapids, MI 49546 MD RSCB2H p 616.653.8429 f 616.653.2717 -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of John Eells Sent: Monday, January 15, 2018 8:59 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Please Read: Server Certificates Expiring - Soon! **CAUTION EXTERNAL EMAIL** **DO NOT open attachments or click on links from unknown senders or unexpected emails** Last week, one of the RECEIVE ORDER server certificates expired. The other IBM servers you use for getting products and service, and those for the testcase, ecurep, and Blue Diamond servers will also expire over the next several months. Normally, impending expiration is not be a big deal; IBM just gets new certificates ahead of the expiration dates, and you never notice. However, as I understand it, DigiCert acquired GeoTrust. All the IBM server certificates in question are GeoTrust certificates. There is rather more to the story, but the net is that IBM will replace all its GeoTrust certificates with new ones from DigiCert. This has already been done for one RECEIVE ORDER server, eccgw02.rochester.ibm.com. The GeoTrust CA certificate will no longer work with this server. To continue to use the servers as the certificates are replaced with new ones from DigiCert, you will need to get and install a new DigiCert Global Root CA certificate. If you use the eccgw02.rochester.ibm.com RECEIVE order server, you can buy some time by using eccgw01.boulder.ibm.com instead until you get the new CA certificate. Look for a WSC Flash later today (I hope) with more-detailed information and instructions. We will update it as we learn more, but the next deadline is some time in April, when we are likely to replace additional server certificates. As I understand it, they must all be done by August. We believe the required action, to get and install a new DigiCert Global Root CA certificate, will not change. My recommendation is that you start the process to do that soon so that you do not lose access to the IBM servers. -- John Eells IBM Poughkeepsie ee...@us.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN **CAUTION EXTERNAL EMAIL** **DO NOT open attachments or click on links from unknown senders or unexpected emails** This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Please Read: Server Certificates Expiring - Soon!
May I hijack this thread to say that if you find the whole certificate thing somewhere between mysterious and annoying, let me suggest three sessions at SHARE, coming up in less than two months in Sacramento. Our goal for the sessions is to take away the mystery and thereby perhaps make certificates less annoying. Monday, March 12, 4:30 PM - 5:30 PM Digital Certificates -- How they Really Work, Part 1 of 3 Room: Room 304/305 Session Number: 21967 Speaker: Charles Mills Tuesday, March 13, 11:15 AM - 12:15 PM Digital Certificates - Real-World Usage on z/OS, Part 2 of 3 Room: Regency B Session Number: 22476 Speaker: Phil Smith III Tuesday, March 13, 4:30 PM - 5:30 PM Digital Certificates - Lifecycle Managment on z/OS, Part 3 of 3 Room: Room 304/305 Session Number: 22470 Speaker: Ross Cooper Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of John Eells Sent: Monday, January 15, 2018 5:59 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Please Read: Server Certificates Expiring - Soon! Last week, one of the RECEIVE ORDER server certificates expired. The other IBM servers you use for getting products and service, and those for the testcase, ecurep, and Blue Diamond servers will also expire over the next several months. Normally, impending expiration is not be a big deal; IBM just gets new certificates ahead of the expiration dates, and you never notice. However, as I understand it, DigiCert acquired GeoTrust. All the IBM server certificates in question are GeoTrust certificates. There is rather more to the story, but the net is that IBM will replace all its GeoTrust certificates with new ones from DigiCert. This has already been done for one RECEIVE ORDER server, eccgw02.rochester.ibm.com. The GeoTrust CA certificate will no longer work with this server. To continue to use the servers as the certificates are replaced with new ones from DigiCert, you will need to get and install a new DigiCert Global Root CA certificate. If you use the eccgw02.rochester.ibm.com RECEIVE order server, you can buy some time by using eccgw01.boulder.ibm.com instead until you get the new CA certificate. Look for a WSC Flash later today (I hope) with more-detailed information and instructions. We will update it as we learn more, but the next deadline is some time in April, when we are likely to replace additional server certificates. As I understand it, they must all be done by August. We believe the required action, to get and install a new DigiCert Global Root CA certificate, will not change. My recommendation is that you start the process to do that soon so that you do not lose access to the IBM servers. -- John Eells IBM Poughkeepsie ee...@us.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Please Read: Server Certificates Expiring - Soon!
Last week, one of the RECEIVE ORDER server certificates expired. The other IBM servers you use for getting products and service, and those for the testcase, ecurep, and Blue Diamond servers will also expire over the next several months. Normally, impending expiration is not be a big deal; IBM just gets new certificates ahead of the expiration dates, and you never notice. However, as I understand it, DigiCert acquired GeoTrust. All the IBM server certificates in question are GeoTrust certificates. There is rather more to the story, but the net is that IBM will replace all its GeoTrust certificates with new ones from DigiCert. This has already been done for one RECEIVE ORDER server, eccgw02.rochester.ibm.com. The GeoTrust CA certificate will no longer work with this server. To continue to use the servers as the certificates are replaced with new ones from DigiCert, you will need to get and install a new DigiCert Global Root CA certificate. If you use the eccgw02.rochester.ibm.com RECEIVE order server, you can buy some time by using eccgw01.boulder.ibm.com instead until you get the new CA certificate. Look for a WSC Flash later today (I hope) with more-detailed information and instructions. We will update it as we learn more, but the next deadline is some time in April, when we are likely to replace additional server certificates. As I understand it, they must all be done by August. We believe the required action, to get and install a new DigiCert Global Root CA certificate, will not change. My recommendation is that you start the process to do that soon so that you do not lose access to the IBM servers. -- John Eells IBM Poughkeepsie ee...@us.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN