Can a deleted acid accidentally be restored on the security file
Release : 16.0
Component : CA Top Secret for z/OS
There is no function built in to Top Secret to restore an individual acid once it is deleted.
The entire security file will have to be restored to recover the acid from a previous back.
The procedure to restore the security file depends on the method used to backup the security file.
Regardless of the method used, the Top Secret address space needs to be brought down while the security file is being restored from a backup.
If you have a copy of the security file, you can use TSS LIST(xxxxx) DATA(ALL,PROFILE) ARCHIVE INTO(dataset(membername))
During the archive process, most of the user’s security record information is archived. However, the following fields are not copied during the archive process:
- Field values not displayed by a TSS LIST command
- Passwords or passphrases
- Digital certificate and keyring segments:
- Certificate name, certificate start date, certificate until date, certificate ID, certificate subject DN
- Certificate keyring, certificate serial number, certificate issuer IDN, certificate issuer SDN, certificate NB date
- Certificate NA date, certificate key size, certificate key type, certificate label, certificate trust status
- Certificate URI, certificate IP address, certificate key usage
- Create/Modify date and time
- Last used info
- ACIDS (which lists the ACIDs that are part of a profile or department)
- ADMINBY
- Facility ADMINBY
- Facility Calendar
- Segment start
- ASUSPEND/XSUSPEND/PSUSPEND/VSUSPEND
Note: If an ACID contains a SUSPEND field, that field is copied when it includes the FOR or UNTIL keyword (which indicates how long a suspension is enforced).
If the user being archived has digital certificates, it is highly recommend that the security administrator use the EXPORT command to export all certificates and private keys in the PKCS12 format into a data set. This exported certificate dataset can then be used to restore those certificates back to the user.
ARCHIVE INTO can also be used on the TSS DELETE command. It can be used to backup the acid before you delete just in case you want to delete.
Example;
TSS DELETE(acid) ARCHIVE INTO(dataset(membername))