z/OS v2.4 ECC Master Key Required For Top Secret?
Article ID: 139811
Updated On:
Products
Issue/Introduction
In the documentation of things to do before upgrading to z/OS v2.4 (see 'Upgrading to z/OS 2.4 Part 2: Technical Actions' below), it shows that a new master Key (ECC) must be created if RACF is being used. Is the definition of the new master key (ECC) also required for Top Secret?
Environment
Release : 16.0
Component : CA Top Secret for z/OS
Resolution
To determine if the definition of the master key (ECC) is also required for Top Secret, run the Top Secret CERTUTIL utility with the following SYSIN statement to check if there are certificates in Top Secret that are RSA:
USER(-) DETAIL RSA
The Upgrade Actions indicate the new ECC master key definition is only needed for RACF sites if the RACDCERT command with RSA(PKDS) is being used. If the Top Secret CERTUTIL output with USER(-) DETAIL RSA shows there are certificates in Top Secret that are RSA, the ECC master key needs to be defined per the Upgrade Actions instructions.
Additional Information
Sample jcl for the Top Secret CERTUTIL utility is in member CERTUTIL in the Top Secret r16 CAKOJCL0 library. Use the ALLCERTS section of the sample jcl. For example:
//ALLCERTS EXEC PGM=SAFCRRPT,PARM='TITLE(Default Title)',REGION=0M
//*
//SYSUDUMP DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
USER(-) DETAIL RSA
//*
Documentation for the CERTUTIL utility can be found here:
Certificate Utility
Feedback
