TSM 7.1.8 / Spectrum Protect 8.1.2 and later create SSL certs with a 10 year expiration.
IBM reference: https://www.ibm.com/support/pages/apar/IT42905
The fix is:
Delete the instance keystore (cert.kdb)
Set all clients, admins, servers to SESSIONSECURITY=TRANSITIONAL
HALT the server and restart it – this will make a NEW key.
FORCESYNC for server connections.
Delete the client keystore (dsmcert.idx)
Restart the client and make sure it connects for the new key.
If you don’t wipe the client keystore:
ANS1695E The certificate is not valid.
ANS8023E Unable to establish session with server.
ANS8002I Highest return code was -370.
From the actlog/SERVER_CONSOLE
ANR8599W The connection with someserver:port failed due to an untrusted server certificate. An attempt to reconnect and establish certificate trust might follow.
IBM is considering automating this.
There is no automation yet as of 18.104.22.168 in 2023-03, and once the key expires, you’re stuck doing it manually.
You may be able to use DEFINE CLIENTACTION to delete the keystores on the clients if you use dsmcad.