RACF_CERTIFICATE_EXPIRATION

Description:

The RACF_CERTIFICATE_EXPIRATION check:

Extracts each certificate from the RACF® database.
Examines the ending date of the certificate and lists the certificate in the check output if the ending date is equal to or less than the warning date. The warning date is the current date adjusted by the “warning period” that the installation has specified as a parameter to the check.
If the certificate is either a TRUST or HIGHTRUST then the certificate is marked as an exception.

The RACF_CERTIFICATE_EXPIRATION check has the following columns in its report:

Table 1. RACF_CERTIFICATE_EXPIRATION report columns
Column	Description
s	The status of the certificate. This column contains an “E” if the certificate is marked as an exception.
Cert Owner	This column contains the “anchor point” for the certificate. Valid values are “SITE”, “CERTAUTH”, and “ID(user-ID).”
Certificate Label	This is the label that has been assigned to the certificate.
End Date	The end date assigned to the certificate. This is the date after which the certificate is not valid.
Trust	The trust status of the certificate. Valid values are “No”, “Yes”, and “High”.
Rings	The number of rings with which this certificate is associated.

If there are no certificates selected for inclusion in the report, then only the title and headers are presented, along with the “No exceptions found” message.

Note: The check end date and the current date are evaluated as follows:

If the CERTEND date/time is earlier than the current date/time, then the certificate is considered “expired”.
If the CERTEND date/time is not earlier than the current date/time, then the current date/time value is subtracted from the CERTEND date/time and the result converted to minutes. This value is compared to the number of days in the warning period multiplied by the number of minutes in a day (1440).

The RACF_CERTIFICATE_EXPIRED check is registered with these attributes:

Table 2. RACF_CERTIFICATE_EXPIRED attributes
Attribute	Setting
Severity	Medium
State	Active
Interval	Run once a day on each system
Date	20111010
Reason	Operational certificates should not be allowed to expire.
Parameter	DAYS(nnn), where “nnn” is between 0 and 366, with a default of 60 if DAYS is not specified explicitly.

Reason for check:

RACF_CERTIFICATE_EXPIRATION allows RACF to identify all certificates which have expired, identify all certificates which are going to expire within the next few days, and ensures that the user has defined a proper baseline set of protections within the z/OS® environment.

z/OS releases the check applies to:

z/OS V2R1 and later.

Parameters accepted:

The value of DAYS(nnn), where “nnn” is between 0 and 366.

User override of IBM values:

The following sample shows the defaults for customizable values for this check. Use this sample to make permanent check customizations in an HZSPRMxx parmlib member used at IBM Health Checker for z/OS startup. If you just want a one-time only update to the check defaults, omit the first line (ADDREPLACE POLICY) and use the UPDATE statement on a MODIFY hzsproc command. Note that using non-POLICY UPDATEs in HZSPRMxx can lead to unexpected results and is therefore not recommended. End of change

ADDREPLACE POLICY[(policyname)] [STATEMENT(name)]
UPDATE
CHECK(IBMRACF,RACF_CERTIFICATE_EXPIRATION)
ACTIVE
SEVERITY(MED)
DATE('20111010')
REASON('Operational certificates should not expire.')
INTERVAL(24:00)

Debug support:

Verbose support:

Reference:

For information on running the IRRIRA00 conversion utility, see z/OS Security Server RACF System Programmer's Guide.
For information about enabling RACF for automatic assignment of unique UNIX identities, see z/OS Security Server RACF Security Administrator's Guide.

Messages:

This check issues the following exception messages:

IRRH276E
IRRH277I

See z/OS Security Server RACF Messages and Codes.

SECLABEL recommended for multilevel security users:

SYSLOW - see z/OS Planning for Multilevel Security and the Common Criteria for information on using SECLABELs.

Output:

The following shows the output from a RACF_CERTIFICATE_EXPIRATION check:

CHECK(IBMRACF,RACF_CERTIFICATE_EXPIRATION)
START TIME: 01/23/2012 08:10:01.603497
CHECK DATE: 20111010 CHECK SEVERITY: MEDIUM
                   Certificates Expiring in 60 Days
S Cert Owner  Certificate Label                 End Date  Trust Rings
- ------------ -------------------------------- ---------- ----- -----
IRRH277I No exceptions are detected. Expired certificates that are not
trusted or are associated with only a virtual key ring are not
exceptions.
END TIME: 01/23/2012 08:10:01.643285  STATUS: SUCCESSFUL