CEMT PERFORM SSL

Refresh the SSL environment and the cache of certificates for the CICS® region.

In the CICS Explorer, the Regions operations view provides a functional equivalent to this command.

Description

The CEMT PERFORM SSL REBUILD command is a request to rebuild the SSL environment for the CICS(r) region. z/OS® System SSL manages the SSL environment. The SSL environment includes a cache that contains copies of the certificates in the designated key ring for the CICS region.

Any SSL handshake that is in progress in the CICS region when the PERFORM SSL REBUILD command is issued continues based on the old certificate information, and existing SSL sessions are retained.

When the rebuild of the SSL environment is successful, it has the following effects:
  • The cache of certificates is rebuilt from the key ring for the CICS region, which is held in the external security manager’s database. The new cache includes copies of the new or renewed certificates that were placed in the key ring after the previous build of the SSL environment. New SSL handshakes or sessions that begin in the CICS region after the rebuild is complete use the refreshed certificate information.
  • If the SSL environment manages a local SSL cache for the CICS region, as specified by the SSLCACHE=CICS system initialization parameter in CICS, a new cache is created. The SSL cache holds session IDs for SSL sessions. The new cache is populated by new SSL sessions that are established in the CICS region. The old cache is removed when the last connection using it is dropped. If an SSL cache is held at sysplex level for multiple CICS regions (SSLCACHE=SYSPLEX), it is not affected.
  • If the CICS region uses an LDAP server for storing certificate revocation lists (CRLs), the bind information that is held for the LDAP server in the SSL environment is refreshed. The details of the LDAP server are taken from an LDAPBIND definition held by the external security manager, which is referenced by the CRLPROFILE system initialization parameter in CICS. If the initial setup of this profile was invalid and the CICS region has therefore disabled its access to the LDAP server, as reported by messages DFHSO0128 or DFHSO0129, the rebuild of the SSL environment cannot restore access to the LDAP server. The refresh only takes place for an LDAP server that is available to the CICS region at the time when the rebuild is carried out.
    Note: Rebuilding the SSL environment does not refresh the certificate revocation lists on the LDAP server. For instructions to do this, see Running the CCRL transaction.

If the rebuild of the SSL environment is not successful, the old SSL environment and the old cache of certificates are retained and continue to be used by the CICS region.

If the CICS region does not use SSL, CICS generates an error message in response to the CEMT PERFORM SSL REBUILD command. If you receive an error message when the CICS region does use SSL, check the MSGUSR logs. Message DFHSO0123 in the MSGUSR logs indicates that there is a problem with the key ring for the CICS region.

Syntax

CEMT PERFORM SSL

Read syntax diagramSkip visual syntax diagramCEMT PERFORM SSLREBUILD

Options

REBUILD
An optional keyword. It does not alter the action of the command.