CEMT PERFORM SSL
Refresh the SSL environment and the cache of certificates for the CICS® region.
In the CICS Explorer, the Regions operations view provides a functional equivalent to this command.
Description
The CEMT PERFORM SSL REBUILD command is a request to rebuild the SSL environment for the CICS(r) region. z/OS(r) System SSL manages the SSL environment. The SSL environment includes a cache that contains copies of the certificates in the designated key ring for the CICS region.Any SSL handshake that is in progress in the CICS region when the PERFORM SSL REBUILD command is issued continues based on the old certificate information, and existing SSL sessions are retained.
- The cache of certificates is rebuilt from the key ring for the CICS region, which is held in the external security manager’s database. The new cache includes copies of the new or renewed certificates that were placed in the key ring after the previous build of the SSL environment. New SSL handshakes or sessions that begin in the CICS region after the rebuild is complete use the refreshed certificate information.
- If the SSL environment manages a local SSL cache for the CICS region, as specified by the SSLCACHE=CICS system initialization parameter in CICS, a new cache is created. The SSL cache holds session IDs for SSL sessions. The new cache is populated by new SSL sessions that are established in the CICS region. The old cache is removed when the last connection using it is dropped. If an SSL cache is held at sysplex level for multiple CICS regions (SSLCACHE=SYSPLEX), it is not affected.
- If the CICS region uses
an LDAP server for storing certificate revocation lists (CRLs), the
bind information that is held for the LDAP server in the SSL environment
is refreshed. The details of the LDAP server are taken from an LDAPBIND
definition held by the external security manager, which is referenced
by the CRLPROFILE system initialization parameter
in CICS. If the initial setup
of this profile was invalid and the CICS region
has therefore disabled its access to the LDAP server, as reported
by messages DFHSO0128 or DFHSO0129, the rebuild of the SSL environment
cannot restore access to the LDAP server. The refresh only takes place
for an LDAP server that is available to the CICS region at the time when the rebuild is
carried out. Note: Rebuilding the SSL environment does not refresh the certificate revocation lists on the LDAP server. For instructions to do this, see Running the CCRL transaction.
If the rebuild of the SSL environment is not successful, the old SSL environment and the old cache of certificates are retained and continue to be used by the CICS region.
If the CICS region does not use SSL, CICS generates an error message in response to the CEMT PERFORM SSL REBUILD command. If you receive an error message when the CICS region does use SSL, check the MSGUSR logs. Message DFHSO0123 in the MSGUSR logs indicates that there is a problem with the key ring for the CICS region.
Syntax
Options
- REBUILD
- An optional keyword. It does not alter the action of the command.