This is the public portal for all IBM Z Hardware and Operating System related offerings. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).
We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:
Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,
Post an idea.
Get feedback from the IBM team and other customers to refine your idea.
Follow the idea through the IBM Ideas process.
Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.
IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.
ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.
“When System SSL opens a RACF keyring the order in which RACF present the certificates is the order in which they were connected (RACDCERT CONNECT) to the keyring. So the certificate that were connected first are presented first.
System SSL will keep the certificate in storage for the life of the Client or Server and won't refer back to RACF unless its SSL environment is refreshed.”
We cannot say that RACF should always present the most recently connected certificates first. This is because certificates (CAs) with different validity periods may be connected at different times—today a certificate with longer validity, and tomorrow one with shorter validity.
Therefore, the key is that RACF should prioritize checking certificates with longer validity periods in the keyrings.
Consider this scenario:
We have a keyring for Connect:Direct that includes all the CAs (both sub-CAs and root CAs) provided by external customers. For instance, customerX provided a sub-CA, subcaX, five years ago. This subcaX is set to expire on September 22, 2024, at 1:02:45 AM MT.
Additionally, customerY provided a sub-CA, subcaY, one year ago. CustomerX forgot about the impending expiration of subcaX and did not inform us to add a new sub-CA as a replacement. Fortunately, the new sub-CA is already present in our keyring because customerY provided subcaY a year ago. However, on September 22, 2024, at 1:05:00 AM MT, CustomerX's Connect:Direct transmissions failed and can lead to significant financial repercussions. The reason is that RACF currently prioritizes the first connected sub-CA, subcaX, which expired.
To resolve this issue, the Visa team would need to remove subcaX on September 22, 2024, at 1:02:46 AM MT, refresh RACF, and request the Network team to refresh SSL (Connect:Direct). This timing can be problematic if the Visa teams don't have coverage at that hour (1 AM).
Best Approach (RFE): RACF should prioritize certificates with longer validity periods in the keyrings. In this example, if subcaY, provided by customerY a year ago, were prioritized and presented first, the issue would have been avoided after the necessary refreshes by the Visa teams.
Please review Case TS017091207 for more information. Here a part of it:
SteveZ (IBM)Aug 28, 2024, 16:01
Action Taken:
Hello Fredy,
~
Thanks for using IBM support
~
When System SSL opens a RACF keyring the order in which RACF present
the certificates is the order in which they were connected
(RACDCERT CONNECT) to the keyring. So the certificate that were
connected first are presented first.
System SSL will keep the certificate in storage for the life of
the Client or Server and won't refer back to RACF unless its SSL
environment is refreshed.
Is you have some recommendations about how RACF processes certificates
you are always welcome to open an iIDEA (previously known as 'Request for
Enhancement' (RFE)) at the IBM Ideas Portal https://ideas.ibm.com/ to
notify RACF development and get your requirement recorded as something
to be designed into the product.
It must be created by you, the customer, and will allow you to
communicate directly with the IBM product development team and your
community peers regarding this requirement.
~
If I can be of further assistance on this specific issue please let me know.
Regards, Steve