3rd Party supplied Certificate Authorities.
Our group maintains digital certificates in both the RACF and Top Secret security productions on z/OS Version 2.2, 2.3 and 2.4. We keep an eye on the Security Server RACF Security Administrator's Guide, appendix C, which lists certificate authorities that are supplied with the operating system. In version 2.2, manual SA23-2289, we see in Appendix C, there are 26 such CAs. In version 2.3, the same associated manual Appendix C shows only 3 of these. RACF explained to us that it would make it easier for us to clean up expired such CAs. Is this how Top Secret R16 handles the supplied certificate authorities? Does the operating system enforce this or does it depend on the security product, RACF or Top Secret?
It is dependent on the security package (TSS, ACF2 or RACF). RACF supplied 3rd parties Certificate Authorities on their security file by default. TSS supplies one 3rd party Certificate Authority. You can EXPORT the certificate from RACF and TSS ADD them to TSS on an as needed basis.