Skip to Main Content
IBM Z Hardware and Operating Systems Ideas Portal


This is the public portal for all IBM Z Hardware and Operating System related offerings. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Under review
Workspace z/OS
Categories RACF
Created by Guest
Created on Oct 21, 2024

RACF should prioritize checking certificates with longer validity periods in the keyrings.

Opening a new idea (RFE) since IBM changed the status of ZOS-I-4249 to Not under consideration

Why is it useful: Let's consider an example:

CustomerX provides a new subCA to Visa for installation as a trusted entity because one of their subCAs, say subcaX, is due to expire. Visa installs the new subCA, and everything should be fine. However, when subcaX expires, System SSL transmissions fail because System SSL has subcaX loaded in storage. Even after refreshing RACF and System SSL, the problem persists. This is because System SSL checks the keyring again, finds subcaX first, and loads it into storage. The reason? SubcaX was connected first and is presented first.

To resolve this, we need to remove subcaX from the keyring and refresh RACF. MVS Network also needs to refresh System SSL. Then, when System SSL checks the keyring again, it finds the new subCA and loads it into storage and the issue is fixed.

Twice this year, we have observed significant business impacts due to the z/OS RACF certificate priority/selection. In both instances, large numbers of financial groups were affected. This issue also pertains to any business z/OS environments under regulatory compliance. I am submitting a new RFE as this poor configuration within RACF certificates needs a solution.

Who would benefit from it: The entire customer base.

How should it work:  RACF  should prioritize checking certificates with longer validity periods in the keyrings. 

 

Idea priority Medium
  • Guest
    Reply
    |
    Oct 22, 2024

    “When System SSL opens a RACF keyring the order in which RACF present the certificates is the order in which they were connected (RACDCERT CONNECT) to the keyring. So the certificate that were connected first are presented first.

    System SSL will keep the certificate in storage for the life of the Client or Server and won't refer back to RACF unless its SSL environment is refreshed.”


    We cannot say that RACF should always present the most recently connected certificates first. This is because certificates (CAs) with different validity periods may be connected at different times—today a certificate with longer validity, and tomorrow one with shorter validity.

    Therefore, the key is that RACF should prioritize checking certificates with longer validity periods in the keyrings.

  • Guest
    Reply
    |
    Oct 22, 2024

    Consider this scenario:

    We have a keyring for Connect:Direct that includes all the CAs (both sub-CAs and root CAs) provided by external customers. For instance, customerX provided a sub-CA, subcaX, five years ago. This subcaX is set to expire on September 22, 2024, at 1:02:45 AM MT.

    Additionally, customerY provided a sub-CA, subcaY, one year ago. CustomerX forgot about the impending expiration of subcaX and did not inform us to add a new sub-CA as a replacement. Fortunately, the new sub-CA is already present in our keyring because customerY provided subcaY a year ago. However, on September 22, 2024, at 1:05:00 AM MT, CustomerX's Connect:Direct transmissions failed and can lead to significant financial repercussions. The reason is that RACF currently prioritizes the first connected sub-CA, subcaX, which expired.

    To resolve this issue, the Visa team would need to remove subcaX on September 22, 2024, at 1:02:46 AM MT, refresh RACF, and request the Network team to refresh SSL (Connect:Direct). This timing can be problematic if the Visa teams don't have coverage at that hour (1 AM).

    Best Approach (RFE): RACF should prioritize certificates with longer validity periods in the keyrings. In this example, if subcaY, provided by customerY a year ago, were prioritized and presented first, the issue would have been avoided after the necessary refreshes by the Visa teams.

    Please review Case TS017091207 for more information. Here a part of it:

    SteveZ (IBM)Aug 28, 2024, 16:01

    Action Taken:

    Hello Fredy,

    ~

    Thanks for using IBM support

    ~

    When System SSL opens a RACF keyring the order in which RACF present

    the certificates is the order in which they were connected

    (RACDCERT CONNECT) to the keyring. So the certificate that were

    connected first are presented first.

    System SSL will keep the certificate in storage for the life of

    the Client or Server and won't refer back to RACF unless its SSL

    environment is refreshed.

    Is you have some recommendations about how RACF processes certificates

    you are always welcome to open an iIDEA (previously known as 'Request for

    Enhancement' (RFE)) at the IBM Ideas Portal https://ideas.ibm.com/ to

    notify RACF development and get your requirement recorded as something

    to be designed into the product.

    It must be created by you, the customer, and will allow you to

    communicate directly with the IBM product development team and your

    community peers regarding this requirement.

    ~

    If I can be of further assistance on this specific issue please let me know.

    Regards, Steve





  • Guest
    Reply
    |
    Oct 22, 2024
    Thank you for submitting this Idea. We would appreciate more information. What is your use case for needing both the new and expired certificates in the keyring? Are these two certificates added under different user IDs or the same ID?
    10 replies