Re: [EXTERNAL] Re: IBM download server root CA change

2023-06-02 Thread Pommier, Rex 
Thanks again.  Guess I'm just a bit of a worrier.  :-)

Rex

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Dana Mitchell
Sent: Friday, June 2, 2023 11:46 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [EXTERNAL] Re: IBM download server root CA change

On Fri, 2 Jun 2023 16:39:30 +, Pommier, Rex  wrote:

>
>What about things like tapetools?  Do I need to be concerned whether my TS7760 
>libraries or my DS8910F disk arrays have these certs embedded in them in order 
>to send diagnostic information to IBM (if needed)?  I have no visibility into 
>this hardware to see if they're compatible or not.  
>
>Rex
>

I don't believe so, the IBM Red Alert didn't say anything about verifying on 
those types of hardware.

Dana

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
The information contained in this message is confidential, protected from 
disclosure and may be legally privileged. If the reader of this message is not 
the intended recipient or an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that any disclosure, 
distribution, copying, or any action taken or action omitted in reliance on it, 
is strictly prohibited and may be unlawful. If you have received this 
communication in error, please notify us immediately by replying to this 
message and destroy the material in its entirety, whether in electronic or hard 
copy format. Thank you.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [EXTERNAL] Re: IBM download server root CA change

2023-06-02 Thread Dana Mitchell 
On Fri, 2 Jun 2023 16:39:30 +, Pommier, Rex  wrote:

>
>What about things like tapetools?  Do I need to be concerned whether my TS7760 
>libraries or my DS8910F disk arrays have these certs embedded in them in order 
>to send diagnostic information to IBM (if needed)?  I have no visibility into 
>this hardware to see if they're compatible or not.  
>
>Rex
>

I don't believe so, the IBM Red Alert didn't say anything about verifying on 
those types of hardware.

Dana

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [EXTERNAL] Re: IBM download server root CA change

2023-06-02 Thread Pommier, Rex 
Thanks, Dana,

That helps with part of my confusion.  On the SMP/E side of it, I was just 
looking for confirmation that I hadn't missed anything blatant.  We use the 
HTTPS method of downloading, and I have the appropriate cert in my RACF 
database.  

What about things like tapetools?  Do I need to be concerned whether my TS7760 
libraries or my DS8910F disk arrays have these certs embedded in them in order 
to send diagnostic information to IBM (if needed)?  I have no visibility into 
this hardware to see if they're compatible or not.  

Rex

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Dana Mitchell
Sent: Friday, June 2, 2023 11:23 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Re: IBM download server root CA change

On Fri, 2 Jun 2023 15:55:47 +, Pommier, Rex  wrote:

>Hi list,
>
>I'm a bit perplexed about this certificate change.  Kurt gave us ample warning 
>about the SMP/E changes (thanks, Kurt).  I also got a red alert telling me of 
>the impending change.  In addition, I got an e-mail earlier this week from the 
>tapetools folks telling us that TT will start using the new cert next week.  
>The link in the TT e-mail showed various IBM entities implementing the new 
>cert over the next several months.  Here's where my confusion comes from.  
>What - if anything - do I need to do with this?  Looking at the cert in my 
>RACF database, it shows a start date of August 2013 - almost 10 years ago.   
>Am I missing something obvious that is a recent update or is IBM just being 
>extremely cautious with this change?  
>


IBM is changing the  root and intermediate certificate authorities that sign 
their certificates.
According to this page:  
https://urldefense.com/v3/__https://www.ibm.com/support/pages/node/6997317__;!!KjMRP1Ixj6eLE0Fj!u8szv-ppSBEuT7-ZagMLAw7OckQeSOLrwr-dloAfDmKUoSseJ-2PW4c6cj_nOoFYflOPj0cDKjl2jtYTDpRT$
  you may not have to do anything:

If you use the HTTPS download method and your certificate authority (CA) 
certificates are managed by the default z/OS Java truststore, then no action is 
required. For example, if your CLIENT XML input for the SMP/E RECEIVE command 
or the GIMGTPKG service routine contains the following, then no action is 
required:



No action is required because the DigiCert Global Root G2 certificate is 
already defined in the default Java truststore. However, if you use the FTPS 
download method, or if you choose to manage certificate authority (CA) root 
certificates in your z/OS security manager, then continue reading to learn 
about the actions you must take.

If that's not the case for  your site, the page goes on to show detailed RACF 
commands to determine if you  have the required root and intermediate 
certificates in your RACF database. 
Dana

--


--
The information contained in this message is confidential, protected from 
disclosure and may be legally privileged. If the reader of this message is not 
the intended recipient or an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that any disclosure, 
distribution, copying, or any action taken or action omitted in reliance on it, 
is strictly prohibited and may be unlawful. If you have received this 
communication in error, please notify us immediately by replying to this 
message and destroy the material in its entirety, whether in electronic or hard 
copy format. Thank you.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM download server root CA change

2023-06-02 Thread Dana Mitchell 
On Fri, 2 Jun 2023 15:55:47 +, Pommier, Rex  wrote:

>Hi list,
>
>I'm a bit perplexed about this certificate change.  Kurt gave us ample warning 
>about the SMP/E changes (thanks, Kurt).  I also got a red alert telling me of 
>the impending change.  In addition, I got an e-mail earlier this week from the 
>tapetools folks telling us that TT will start using the new cert next week.  
>The link in the TT e-mail showed various IBM entities implementing the new 
>cert over the next several months.  Here's where my confusion comes from.  
>What - if anything - do I need to do with this?  Looking at the cert in my 
>RACF database, it shows a start date of August 2013 - almost 10 years ago.   
>Am I missing something obvious that is a recent update or is IBM just being 
>extremely cautious with this change?  
>


IBM is changing the  root and intermediate certificate authorities that sign 
their certificates.
According to this page:  https://www.ibm.com/support/pages/node/6997317 you may 
not have to do anything:

If you use the HTTPS download method and your certificate authority (CA) 
certificates are managed by the default z/OS Java truststore, then no action is 
required. For example, if your CLIENT XML input for the SMP/E RECEIVE command 
or the GIMGTPKG service routine contains the following, then no action is 
required:



No action is required because the DigiCert Global Root G2 certificate is 
already defined in the default Java truststore. However, if you use the FTPS 
download method, or if you choose to manage certificate authority (CA) root 
certificates in your z/OS security manager, then continue reading to learn 
about the actions you must take.

If that's not the case for  your site, the page goes on to show detailed RACF 
commands to determine if you  have the required root and intermediate 
certificates in your RACF database. 
Dana

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM download server root CA change

2023-06-02 Thread Pommier, Rex 
Hi list,

I'm a bit perplexed about this certificate change.  Kurt gave us ample warning 
about the SMP/E changes (thanks, Kurt).  I also got a red alert telling me of 
the impending change.  In addition, I got an e-mail earlier this week from the 
tapetools folks telling us that TT will start using the new cert next week.  
The link in the TT e-mail showed various IBM entities implementing the new cert 
over the next several months.  Here's where my confusion comes from.  What - if 
anything - do I need to do with this?  Looking at the cert in my RACF database, 
it shows a start date of August 2013 - almost 10 years ago.   Am I missing 
something obvious that is a recent update or is IBM just being extremely 
cautious with this change?  

Thanks,

Rex

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Kurt J. Quackenbush
Sent: Monday, May 22, 2023 12:31 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] IBM download server root CA change

Take note of the planned 30 May 2023 change to the certificate authority (CA) 
root for the IBM software download servers:
https://urldefense.com/v3/__https://www.ibm.com/support/pages/node/6997317__;!!KjMRP1Ixj6eLE0Fj!oGQkk_jrjQ6qo8hCrA7rmEI4c6QoccCXGvWMx4ay8bRk5t_5ojLKHOuGQZ1v6u6TVtOjA9IDzNfg4vao$
 

This affects downloads for z/OS product and service orders submitted from 
Shopz, service orders submitted by SMP/E RECEIVE ORDER, and service orders 
submitted by ServiceLink.  Take action now to avoid interruptions in your PTF 
and software product download capability.

Kurt Quackenbush
IBM  |  z/OS SMP/E and z/OSMF Software Management  |  
ku...@us.ibm.com<mailto:ku...@us.ibm.com>

Chuck Norris never uses CHECK when he applies PTFs.




--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
The information contained in this message is confidential, protected from 
disclosure and may be legally privileged. If the reader of this message is not 
the intended recipient or an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that any disclosure, 
distribution, copying, or any action taken or action omitted in reliance on it, 
is strictly prohibited and may be unlawful. If you have received this 
communication in error, please notify us immediately by replying to this 
message and destroy the material in its entirety, whether in electronic or hard 
copy format. Thank you.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

IBM download server root CA change

2023-05-22 Thread Kurt J. Quackenbush 
Take note of the planned 30 May 2023 change to the certificate authority (CA) 
root for the IBM software download servers:
https://www.ibm.com/support/pages/node/6997317

This affects downloads for z/OS product and service orders submitted from 
Shopz, service orders submitted by SMP/E RECEIVE ORDER, and service orders 
submitted by ServiceLink.  Take action now to avoid interruptions in your PTF 
and software product download capability.

Kurt Quackenbush
IBM  |  z/OS SMP/E and z/OSMF Software Management  |  
ku...@us.ibm.com

Chuck Norris never uses CHECK when he applies PTFs.




--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN