z/OS Security Server RACF Command Language Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


RACDCERT DELTOKEN (Delete token)

z/OS Security Server RACF Command Language Reference
SA23-2292-00

Purpose

Use the RACDCERT DELTOKEN command to delete a z/OS® PKCS #11 token.

Issuing options

The following table identifies the eligible options for issuing the RACDCERT DELTOKEN command:
As a RACF® TSO command? As a RACF operator command? With command direction? With automatic command direction? From the RACF parameter library?
Yes No No. (See rules.) No. (See rules.) No
Rules: The following rules apply when issuing this command.
  • The RACDCERT command cannot be directed to a remote system using the AT or ONLYAT keyword.
  • The updates made to the RACF database by RACDCERT are eligible for propagation with automatic direction of application updates based on the RRSFDATA profiles AUTODIRECT.target-node.DIGTCERT.APPL and AUTODIRECT.target-node.DIGTRING.APPL, where target-node is the remote node to which the update is to be propagated.

Authorization required

Authorization to delete z/OS PKCS #11 tokens is controlled by ICSF based on profiles in the CRYPTOZ class. (No authority in the FACILITY class is required.) If you do not have authority to delete the specified token as determined by ICSF, the command stops and an error message is displayed.

When your installation controls access to ICSF services and the CSFSERV class is active, you must also have READ access to the CSF1GAV, CSF1TRD, and CSF1TRL resources in the CSFSERV class.

For authorization details about the CRYPTOZ and CSFSERV classes, see z/OS Cryptographic Services ICSF Administrator's Guide.

Related commands

  • To add a token, see RACDCERT ADDTOKEN.

Syntax

For the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the RACDCERT DELTOKEN command is:

 
RACDCERT DELTOKEN(token-name)

[FORCE]
Note: The ID(certificate-owner) | SITE | CERTAUTH parameter is ignored for this RACDCERT function.

If you specify more than one RACDCERT function, only the last specified function is processed. Extraneous keywords that are not related to the function being performed are ignored.

If you do not specify a RACDCERT function, LIST is the default function.

For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.

Parameters

DELTOKEN(token-name)
The token-name value is the name of the token being deleted. If any object within the token is not currently defined to RACF, you must also specify FORCE or else an error message is issued and the command ends. (This error message prevents you from inadvertently deleting a certificate object that is not defined to RACF.)
FORCE
Specifies that RACF should bypass some error checking and unconditionally perform the delete token operation.
If you do not specify FORCE, the following condition must be true or an error message is issued and the command ends:
  • The certificate (or its associated private key, if any) must be currently defined to RACF.
If you specify FORCE, this condition is not checked.

Examples

     
Example 1 Operation User ICSFADM has been notified that the z/OS PKCS #11 token named WEBSRV.NETTOKEN is no longer needed and should be deleted.
Known User ICSFADM has CONTROL authority to the SO.* generic profile in the CRYPTOZ class. The token to be deleted is empty.
Commands 
RACDCERT DELTOKEN(WEBSRV.NETTOKEN)
Output None.
Parent topic: RACF command syntax

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014