search cancel

Is there a way to ascertain which certificates are being used with CA-ACF2 ?

book

Article ID: 190606

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC LDAP SERVER FOR Z/OS PAM CLIENT FOR LINUX ON MAINFRAME WEB ADMINISTRATOR FOR TOP SECRET

Issue/Introduction

Is it possible to work out which certificates in the ACF2 database are being used and which are not? 

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

There is no way to ascertain whether a certificate has been used at some time in the past.

A "sectrace type=OMVS sfunc=rdatalib" command can be used trace an application and see
which certificates are used at the time of being traced.

The SAFCRRPT  report can be used to display all certificates that are active (available to be used) or those that are expired (cannot be used).

To test if a specific certificate is being used, the trust status can be changed to notrust which will prevent the certificate to be returned when a client or server tasks requests the certificates from a keyring.

For example:

Change the certificate to NOTRUST and stop and re-start the Server or Client task. Certificates that are marked as NOTRUST will not be returned when certificates are returned with a Keyring during Server or Client task initialization(R_datalib calls). This can be done as follows:

ACF
SET PROFILE(USER) DIV(CERTDATA)
CHANGE user001.cert NOTRUST
F ACF2,REBUILD(USR),CLASS(P)
F ACF2,OMVS

stop and re-start the server or client task