RACF_CERTIFICATE_EXPIRATION
- Description:
- The RACF_CERTIFICATE_EXPIRATION check:
- Extracts each certificate from the RACF® database.
- Examines the ending date of the certificate and lists the certificate in the check output if the ending date is equal to or less than the warning date. The warning date is the current date adjusted by the “warning period” that the installation has specified as a parameter to the check.
- If the certificate is either a TRUST or HIGHTRUST then the certificate is marked as an exception.
The RACF_CERTIFICATE_EXPIRATION check has the following columns in its report:Table 1. RACF_CERTIFICATE_EXPIRATION report columns Column Description s The status of the certificate. This column contains an “E” if the certificate is marked as an exception. Cert Owner This column contains the “anchor point” for the certificate. Valid values are “SITE”, “CERTAUTH”, and “ID(user-ID).” Certificate Label This is the label that has been assigned to the certificate. End Date The end date assigned to the certificate. This is the date after which the certificate is not valid. Trust The trust status of the certificate. Valid values are “No”, “Yes”, and “High”. Rings The number of rings with which this certificate is associated. If there are no certificates selected for inclusion in the report, then only the title and headers are presented, along with the “No exceptions found” message.
Note: The check end date and the current date are evaluated as follows:- If the CERTEND date/time is earlier than the current date/time, then the certificate is considered “expired”.
- If the CERTEND date/time is not earlier than the current date/time, then the current date/time value is subtracted from the CERTEND date/time and the result converted to minutes. This value is compared to the number of days in the warning period multiplied by the number of minutes in a day (1440).
The RACF_CERTIFICATE_EXPIRED check is registered with these attributes:Table 2. RACF_CERTIFICATE_EXPIRED attributes Attribute Setting Severity Medium State Active Interval Run once a day on each system Date 20111010 Reason Operational certificates should not be allowed to expire. Parameter DAYS(nnn), where “nnn” is between 0 and 366, with a default of 60 if DAYS is not specified explicitly. - Reason for check:
- RACF_CERTIFICATE_EXPIRATION allows RACF to identify all certificates which have expired, identify all certificates which are going to expire within the next few days, and ensures that the user has defined a proper baseline set of protections within the z/OS® environment.
- z/OS releases the check applies to:
- z/OS V2R1 and later.
- Parameters accepted:
- The value of DAYS(nnn), where “nnn” is between 0 and 366.
- User override of IBM values:
- The following sample shows the defaults for customizable
values for this check. Use this sample to make permanent check
customizations in an HZSPRMxx parmlib member used at
IBM Health Checker for z/OS startup. If you just want a one-time
only update to the check defaults, omit the first line (ADDREPLACE POLICY)
and use the UPDATE statement on a MODIFY hzsproc command.
Note that using non-POLICY UPDATEs in HZSPRMxx can
lead to unexpected results and is therefore not recommended.
ADDREPLACE POLICY[(policyname)] [STATEMENT(name)] UPDATE CHECK(IBMRACF,RACF_CERTIFICATE_EXPIRATION) ACTIVE SEVERITY(MED) DATE('20111010') REASON('Operational certificates should not expire.') INTERVAL(24:00)
- Debug support:
- No
- Verbose support:
- No
- Reference:
- For information on running the IRRIRA00 conversion utility, see z/OS Security Server RACF System Programmer's Guide.
- For information about enabling RACF for automatic assignment of unique UNIX identities, see z/OS Security Server RACF Security Administrator's Guide.
- Messages:
- This check issues the following exception messages:
- IRRH276E
- IRRH277I
- SECLABEL recommended for multilevel security users:
- SYSLOW - see z/OS Planning for Multilevel Security and the Common Criteria for information on using SECLABELs.
- Output:
- The following shows the output from a RACF_CERTIFICATE_EXPIRATION
check:
CHECK(IBMRACF,RACF_CERTIFICATE_EXPIRATION) START TIME: 01/23/2012 08:10:01.603497 CHECK DATE: 20111010 CHECK SEVERITY: MEDIUM Certificates Expiring in 60 Days S Cert Owner Certificate Label End Date Trust Rings - ------------ -------------------------------- ---------- ----- ----- IRRH277I No exceptions are detected. Expired certificates that are not trusted or are associated with only a virtual key ring are not exceptions. END TIME: 01/23/2012 08:10:01.643285 STATUS: SUCCESSFUL