 |
- User RACFADM with SPECIAL authority requests the listing of user
ID GEORGEM's digital certificate information by issuing the RACDCERT
command with the LIST operand. User ID GEORGEM has three certificates,
one of which is not associated with any key rings. Figure 1 shows the output of the following
command:
RACDCERT ID(GEORGEM) LIST
Figure 1. Output
from the RACDCERT LIST command Digital certificate information for user GEORGEM:
Label: New Cert Type - Ser # 00
Certificate ID: 2QfHxdbZx8XU1YWmQMOFmaNA46iXhUBgQOKFmUB7QPDw
Status: TRUST
Start Date: 2010/04/18 03:01:13
End Date: 2020/02/13 03:01:13
Serial Number:
>00<
Issuer's Name:
>OU=Internet Demo CertAuth.O=The Cert Software Inc.<
Subject's Name:
>OU=Internet Demo CertAuth.O=The Cert Software Inc.<
Signing Algorithm: sha1RSA
Key Type: RSA Mod-Exp
Key Size: 1024
Private Key: YES
PKDS Label: IRR.DIGTCERT.GEORGEM.SY1.BD7103108611F42F
Ring Associations:
Ring Owner: GEORGEM
Ring:
>GEORGEMsNewRing01<
Ring Owner: GEORGEM
Ring:
>GEORGEMsRing<
Label: New Type Cert - VsignC1
Certificate ID: 2QfHxdbZx8XU1YWmQOOol4VAw4WZo0BgQOWiiYeVw/FA
Status: TRUST
Start Date: 2010/04/22 23:23:26
End Date: 2020/01/15 23:23:26
Serial Number:
>3511A552906FE7D029A44019D411FC3E<
Issuer's Name:
>OU=Class 1 Public Primary Certification Authority.O=VeriSign, Inc..C=<
>US<
Subject's Name:
>OU=VeriSign Class 1 CertAuth - Individual Subscriber.O=VeriSign, Inc..L=Int<
>ernet<
Signing Algorithm: sha1RSA
Key Type: RSA
Key Size: 512
Private Key: YES
Ring Associations:
Ring Owner: GEORGEM
Ring:
>GEORGEMsNewRing01<
Label: New Type Cert - VsignC2
Certificate ID: 2QfHxdbZx8XU1YWmQOOol4VAw4WZo0BgQOWiiYeVw/JA
Status: NOTRUST
Start Date: 2010/03/19 15:39:52
End Date: 2020/03/19 15:39:52
Serial Number:
>50D35294912F79D315E32B31AC8548F0<
Issuer's Name:
>OU=Class 2 Public Primary Certification Authority.O=VeriSign, Inc..C=<
>US<
Subject's Name:
>OU=VeriSign Class 2 CertAuth - Individual Subscriber.O=VeriSign, Inc..L=Int<
>ernet<
Signing Algorithm: sha256RSA
Key Type: NIST ECC
Key Size: 256
Private Key: NO
Ring Associations:
*** No rings associated ***
- User RACFADM with SPECIAL authority requests the listing of user
ID GEORGEM's key rings by issuing the RACDCERT command with the LISTRING
operand. User ID GEORGEM has three key rings with certificates and
one key ring which has no certificates. Figure 2 shows
the output of the following command:
RACDCERT ID(GEORGEM) LISTRING
Figure 2. Output from the
RACDCERT LISTRING commandDigital ring information for user GEORGEM:
Ring:
>GEORGEMsNewRing01<
Certificate Label Name Cert Owner USAGE DEFAULT
-------------------------------- ------------ -------- -------
New Cert Type - Ser # 00 ID(GEORGEM) PERSONAL YES
New Type Cert - VsignC1 ID(GEORGEM) CERTAUTH NO
New Type Cert - VsignC2 ID(GEORGEM) SITE NO
65 ID(JOHNP) PERSONAL NO
Ring:
>GEORGEMsRing<
Certificate Label Name Cert Owner USAGE DEFAULT
-------------------------------- ------------ -------- -------
GEORGEM's Cert # 48 ID(GEORGEM) PERSONAL NO
GEORGEM's Cert # 84 ID(GEORGEM) PERSONAL NO
New Cert Type - Ser # 00 ID(GEORGEM) PERSONAL YES
Ring:
>GEORGEMsRing#2<
Certificate Label Name Cert Owner USAGE DEFAULT
-------------------------------- ------------ -------- -------
GEORGEM's Cert # 84 ID(GEORGEM) PERSONAL NO
GEORGEM's Cert # 48 ID(GEORGEM) PERSONAL NO
Ring:
>GEORGEMsRing#3<
*** No certificates connected ***
- User NETB0Y requests the listing of his Savings Account digital
certificate to ensure it has been defined, and that it is marked trusted.
He has READ authority to the FACILITY class resource IRR.DIGTCERT.LIST.
He issues the RACDCERT command with the LIST operand, specifying the
label to identify his certificate. Figure 3 shows
the output of the following command:
RACDCERT LIST(LABEL('Savings Account'))
Figure 3. Output from the
RACDCERT LIST command with LABELDigital certificate information for user NETB0Y:
Label: Savings Account
Certificate ID: 2QbVxePC1ujigaWJlYeiQMGDg5aklaNA
Status: TRUST
Start Date: 2010/11/10 00:00:00
End Date: 2011/11/10 23:59:59
Serial Number:
>5D666C20207A6638727A413872D8413B<
Issuer's Name:
>OU=BobsBank Savers.O=BobsBank.L=Internet<
Subject's Name:
>CN=S.S.Smith.OU=Digital ID Class 1 - NetScape.OU=BobsBank Class 1 - S<
>avingsAcct.O=BobsBank.L=Internet<
Signing Algorithm: sha256RSA
Key Type: Brainpool ECC
Key Size: 192
Private Key: YES
Ring Associations:
*** No rings associated ***
- User RACFADM with SPECIAL authority uses the RLIST
DIGTCERT * command to request the listing of all DIGTCERT
profiles. This RLIST command lists information about the profiles
that contain digital certificates, rather than information about the
certificates themselves. (Use the RACDCERT LIST command to list detailed
information about certificates.) Figure 4 shows
a partial sample of the output of the following command:
RLIST DIGTCERT *
The
RLIST command lists the universal access value for a profile in the
DIGTCERT class differently based on the TRUST status of the digital
certificate contained in the profile: | Trust status |
Universal access |
|---|
| Trusted |
ALTER |
| Untrusted |
??????? |
Figure 4 shows the listing
of a profile containing a certificate-authority certificate that was
supplied with your RACF® system.
For more information about these certificates, see Supplied digital certificates.
Figure 4. Output from the RLIST DIGTCERT commandRLIST DIGTCERT *
CLASS NAME
----- ----
DIGTCERT 00.personal-basic@thawte.com.CN=Thawte¢Personal¢Basic¢CA.OU=Certific
ation¢Services¢Division.O=Thawte¢Consulting.L=Cape¢Town.SP=Western¢Cape.C=ZA
LEVEL OWNER UNIVERSAL ACCESS YOUR ACCESS WARNING
----- -------- ---------------- ----------- -------
00 IBMUSER ??????? NONE NO
INSTALLATION DATA
-----------------
NONE
APPLICATION DATA
----------------
irrcerta
AUDITING
--------
FAILURES(READ)
NOTIFY
------
NO USER TO BE NOTIFIED
⋮
- User RACFADM with SPECIAL authority uses the SEARCH
CLASS(DIGTCERT) command to find the names of all DIGTCERT
profiles. (For detailed listings of certificate information, use the
RACDCERT LIST command.) Figure 5 shows
sample output from the following command:
SEARCH CLASS(DIGTCERT)
Figure 5 shows several listings of profiles
containing certificate-authority certificates that are supplied with
your RACF system. For more
information, see Supplied digital certificates.
Figure 5. Output from the
SEARCH CLASS(DIGTCERT) commandSEARCH CLASS(DIGTCERT)
00.personal-basic@thawte.com.CN=Thawte¢Personal¢Basic¢CA.OU=Certification¢Servic
es¢Division.O=Thawte¢Consulting.L=Cape¢Town.SP=Western¢Cape.C=ZA
00.personal-freemail@thawte.com.CN=Thawte¢Personal¢Freemail¢CA.OU=Certification¢
Services¢Division.O=Thawte¢Consulting.L=Cape¢Town.SP=Western¢Cape.C=ZA
00.personal-premium@thawte.com.CN=Thawte¢Personal¢Premium¢CA.OU=Certification¢Se
rvices¢Division.O=Thawte¢Consulting.L=Cape¢Town.SP=Western¢Cape.C=ZA
00BA5AC94C053B92D6A7B6DF4ED053920D.OU=Class¢2¢Public¢Primary¢Certification¢Autho
rity.O=VeriSign,¢Inc..C=US
00E49EFDF33AE80ECFA5113E19A4240232.OU=Class¢3¢Public¢Primary¢Certification¢Autho
rity.O=VeriSign,¢Inc..C=US
01.premium-server@thawte.com.CN=Thawte¢Premium¢Server¢CA.OU=Certification¢Servic
es¢Division.O=Thawte¢Consulting¢cc.L=Cape¢Town.SP=Western¢Cape.C=ZA
01.server-certs@thawte.com.CN=Thawte¢Server¢CA.OU=Certification¢Services¢Divisio
n.O=Thawte¢Consulting¢cc.L=Cape¢Town.SP=Western¢Cape.C=ZA
02AD667E4E45FE5E576F3C98195EDDC0.OU=Secure¢Server¢Certification¢Authority.O=RSA¢
Data¢Security,¢Inc..C=US
325033CF50D156F35C81AD655C4FC825.OU=Class¢1¢Public¢Primary¢Certification¢Authori
ty.O=VeriSign,¢Inc..C=US
3381F595.CN=Integrion¢Certification¢Authority¢Root.O=Integrion¢Financial¢Network
.C=US
33820AD2.CN=IBM¢World¢Registry¢Certification¢Authority.O=IBM¢World¢Registry.C=US
⋮
|
z/OS Security Server RACF Security Administrator's Guide
Copyright IBM Corporation 1990, 2014