IBM Support

Avoiding SSL Certificate Expiration

Question & Answer


Question

Client or server software attempting to use Secure Sockets Layer (SSL) communication fails overnight. Examination of associated error messages or traces shows that the gsk_secure_socket_init() call returns a 401 result code (GSK_ERR_BAD_DATE). Possible affected applications are TN3270 server, FTP (server or client), Web server (IMWHTTPD), CICS, DB2 Connect, or TTLS.

Cause

Certificates used for Secure Sockets Layer (SSL) communication have an expiration date associated with them. Once that date (and time) has passed, SSL negotiation will fail.

Answer

Obtain an updated certificate and replace the existing certificate with the new one. If the certificate is supplied from a vendor, you must order the update from them. If locally generated (including self-signed), a new one must be created. You might have to distribute the updated certificates to other client/server systems as well, depending on the type of SSL negotiation being used.

To avoid this, take actions to renew certificates before they expire. Renewal updates are much simpler and less disruptive to process. Have your security administrator periodically run reports to list the certificates and their expiration dates.

If the RACF facility is being used as a certificate repository, the attached JCL (CertJCL.txt) can be used to list certificates by order of expiration date. The input to this job is an unloaded RACF data base generated with the IRRDBU00 utility.

Related Information

CertJCL.txt

[{"Line of Business":{"code":"LOB35","label":"Mainframe SW"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"ARM Category":[{"code":"","label":""}],"Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"1.6;1.7;1.8;1.9;1.10;1.11;1.12;1.13;2.1;2.2;2.3"},{"Line of Business":{"code":"LOB56","label":"Z HW"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG90","label":"z\/OS"},"ARM Category":[{"code":"a8m0z0000000A3aAAE","label":"z\/OS->Security->SSL"}],"Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"1.10.0;1.11.0;1.12.0;1.9.0"},{"Line of Business":{"code":"LOB35","label":"Mainframe SW"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"ARM Category":[{"code":"","label":""}],"Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"2.2;2.3;3.1;3.2;4.1;4.2;5.1;5.2;5.3;5.4"},{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"ARM Category":[{"code":"","label":""}],"Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"All Version(s)"}]

Document Information

Modified date:
07 September 2022

UID

swg21248143