IBM Support

IBM Software Download Servers Change

News


Abstract

On 2 June 2023, the trusted certificate authority (CA) root will change for IBM software download servers. The affected servers are used for z/OS service orders submitted from SMP/E RECEIVE ORDER, z/OS product and service orders submitted from Shopz, and z/OS service orders submitted from ServiceLink.

Content

On 2 June 2023, the trusted certificate authority (CA) root certificate used for server authentication will be changed for the IBM download servers used for:

  • z/OS service orders initiated from SMP/E RECEIVE ORDER,
  • z/OS service orders initiated from ServiceLink, and
  • z/OS product and service orders initiated from Shopz.

The host names for these download servers are:

  • deliverycb-bld.dhe.ibm.com
  • deliverycb-mul.dhe.ibm.com

The current server certificates issued by the certificate authority (CA) root “DigiCert Global Root CA” will soon expire and the new certificates are issued by a different certificate authority (CA) root, “DigiCert Global Root G2”.

If you currently download z/OS software and service from IBM’s servers directly to your z/OS system by using SMP/E, then action might be required to continue downloading software product and service orders without interruption after this change.

If you use the HTTPS download method and your certificate authority (CA) certificates are managed by the default z/OS Java truststore, then no action is required. For example, if your CLIENT XML input for the SMP/E RECEIVE command or the GIMGTPKG service routine contains the following, then no action is required:

<CLIENT
  downloadmethod=”https”
  downloadkeyring=”javatruststore”
  javahome="/usr/lpp/java/J8.0"
  >
</CLIENT>

No action is required because the DigiCert Global Root G2 certificate is already defined in the default Java truststore. However, if you use the FTPS download method, or if you choose to manage certificate authority (CA) root certificates in your z/OS security manager, then continue reading to learn about the actions you must take.

Action

If the certificate authority (CA) root certificates for authenticating with the IBM download servers are managed and stored in your security manager database on z/OS, then you must ensure the DigiCert Global Root G2 certificate is in your security manager database.

Note: The z/OS® Security Server (RACF) or an equivalent security manager product on z/OS are used to store and manage x.509 certificates. The remainder of this article assumes you are using RACF. If you are using an equivalent security manager product, you should refer to that product’s documentation to understand the equivalent actions.

To determine whether the DigiCert Global Root G2 is in your RACF database, you must search for and display the certificate by using the certificate's unique serial number and issuer. The serial number and issuer remain constant no matter what the label assigned to the certificate in your RACF database. Use the following RACF command to display the DigiCert Global Root G2 certificate:

RACDCERT CERTAUTH LIST( +                                            
SERIALNUMBER(033AF1E6A711A9A0BB2864B11D09FAE5) +                     
ISSUERSDN( +                                                         
'CN=DigiCert Global Root G2.OU=www.digicert.com.O=DigiCert Inc.C=US')

If the certificate is found in your RACF database you will see the certificate information like this:

Label: DigiCert Global Root G2                                           
Certificate ID: 2QiJmZmDhZmjgcSJh4nDhZmjQMeTloKBk0DZlpajQMfy             
Status: TRUST                                                            
Start Date: 2013/08/01 08:00:00                                          
End Date:   2038/01/15 08:00:00                                          
Serial Number:                                                           
     >033AF1E6A711A9A0BB2864B11D09FAE5<                                  
Issuer's Name:                                                           
     >CN=DigiCert Global Root G2.OU=www.digicert.com.O=DigiCert Inc.C=US< 
Subject's Name:                                                          
     >CN=DigiCert Global Root G2.OU=www.digicert.com.O=DigiCert Inc.C=US< 
Signing Algorithm: sha256RSA                                             
Key Usage: HANDSHAKE, CERTSIGN                                           
Key Type: RSA                                                            
Key Size: 2048                                                           
Private Key: NO                                                          
Certificate Fingerprint (SHA256):                                        
     CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:                    
     47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F

Make note of the label for the found certificate, as the label for the certificate in your RACF database can be different than “DigiCert Global Root G2”. You must use the actual label value in the subsequent RACF commands. If the certificate is found but has a Status of NOTRUST, then you must use the following RACF command to trust the certificate:

RACDCERT CERTAUTH +
ALTER(LABEL('DigiCert Global Root G2')) TRUST

If the certificate is not found, you must add the DigiCert Global Root G2 certificate to your RACF database by performing the following steps:

  1. Download to your workstation the DigiCert Global Root G2 certificate file. Using your browser, go to the Digicert Trusted Root Authority Certificates web page.  Find the DigiCert Global Root G2 in the list of root certificates, click the "Download PEM" link for this certificate to download the certificate file to your workstation.
  2. Upload the certificate to your z/OS system. There are many methods to transfer files from your workstation to your z/OS system. For example, you can upload the certificate file with Personal Communications 3270 or use TCP/IP FTP, and since the PEM format certificate file is text data you can also open the file in a text editor and use your workstation’s cut/paste feature. The important things to remember are the PEM format certificate file must be uploaded to z/OS as text data, the certificate file must be stored in a sequential data set, and the sequential data set must have RECFM=VB and LRECL>=256.
  3. After the certificate is stored in a sequential data set, add it to your RACF database by using the following RACF command: 
    RACDCERT CERTAUTH ADD('ca-cert.dataset.name') +
WITHLABEL('DigiCert Global Root G2') TRUST

    where ca-cert.dataset.name is the name of the sequential data set used to store the certificate received from the DigiCert website.

Finally, if you currently use a specific keyring when downloading software from IBM’s download servers instead of the CERTAUTH virtual keyring *AUTH*/*, then connect the DigiCert Global Root G2 certificate to that keyring. Use the following RACF command to connect the certificate to your keyring:

RACDCERT ID(userid) CONNECT( CERTAUTH +
LABEL('DigiCert Global Root G2') +
RING(download-keyring) +
USAGE(CERTAUTH) )

Where “download-keyring” is the keyring name that you use to download software. This keyring might currently be specified on the downloadkeyring attribute in the CLIENT XML input for SMP/E, or used by the FTP client.

If you use RACLIST the DIGTCERT or DIGTRING classes, do not forget to refresh the in-storage profiles so the updates can take effect. Use the following RACF command:

SETROPTS RACLIST(DIGTCERT DIGTRING) REFRESH

[{"Type":"MASTER","Line of Business":{"code":"LOB56","label":"Z HW"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG90","label":"z\/OS"},"ARM Category":[{"code":"a8m0z00000009xwAAA","label":"z\/OS"}],"Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"All Versions"}]

Document Information

Modified date:
25 May 2023

UID

ibm16997317

Page Feedback