Re: SSL expiring cert issues

On Wed, Jul 5, 2017 at 10:16 AM, Steinmetz, Paul <PSteinmetz@xxxxxxxxxx> wrote:

Our SSL wild card cert expired 6/30/17.

1) In DCM, we found that an HTTP instance application using an SSL cert needed to be recycled for the new cert to take effect. When doing our original testing, it "appeared" the app was using the new cert, but was actually using the old cert.

Did you apply the new cert to the application name that the old cert
was using? Or did you create a new application and assign the new
cert to it? Either way, check the HTTP config that it's using the
appropriate application name. This should be easy to swap to a new
cert.

2) Also in DCM, an application assigned to use the new cert was failing due to the expired cert still existing in DCM. We deleted the expired cert, the failing application started working.

Yes, that's a bunch of bunk. Why IBM chooses to throw errors for
applications when there is one expired cert or CA that isn't even
related to the application is just dumb.

3) I'm looking for a method to test/confirm which SSL cert(s) is being used for batch jobs/process (Non Browser jobs)

Chris showed how to use openSSL. That's probably your best non
browser way. But there's no reason Chrome wouldn't work. It will
show you a lot of info about the cert in use.

If you want to use GETURI (www.bvstools.com/geturi.html) you can use
it just with a temp key and if you use it to consume the URL and
specify DEBUG(*YES) it will download the Cert used into the IFS so you
can see it.


Bradley V. Stone
www.bvstools.com
MAILTOOL Benefit #18: Ability to use SSL, TLS or OAuth 2.0
authentication. (OAuth 2.0 only available with Google or Microsoft
Office 365).