Is there a way to look at KEYRINGS before they were changed ?

book

Article ID: 195393

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC CA LDAP Server for z/OS CA PAM Client for Linux for zSeries CA Web Administrator for Top Secret

Issue/Introduction

For example, KEYRINGS were changed this past Thursday morning. How can the Keyring be seen before and after the changes that were done on Wednesday?

Keyrings are stored in the ACF2 INFOSTG database as USER Profile records. Any time the ACF2 INFOSTG database is changed a SMF record is cut. The ACFRPEEL report can be run against SMF to print a report showing any changes to the ACF2 INFOSTG database.

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

The ACFRPTEL report can be run against the SMF that was active at the time of the KEYRING changes to report on Keyring changes. For example the following example shows changes to the KEYRING IZUSVR.KEYR01 followed by the ACFRPTEL report showing the changes.

Keyring IZUSVR.KEYR01 before changes:

  KEYRING / IZUSVR.KEYR01 LAST CHANGED BY USER001 ON 12/10/13-18:20       
                       DEFAULT(IZUSVR.CERT01) RINGNAME(IZUKeyring.IZUDFLT)
  The following certificates are connected to this key ring:               
  CERTDATA record    Label                             Usage                
  -----------------  --------------------------------  --------           
  CERTAUTH.ZOSMFSRV  zOSMFCA                           CERTAUTH            
  IZUSVR.CERT01      DefaultzOSMFCert.IZUDFLT          PERSONAL       

Changes, CONNECT two certificates to the KEYRING and change the KEYRING DEFAULT:

CONNECT CERTDATA(CERTAUTH.INTER2) KEYRING(IZUSVR.KEYR01)
CONNECT CERTDATA(MYSERVER.CERT) KEYRING(IZUSVR.KEYR01)  
CHANGE IZUSVR.KEYR01 DEFAULT(MYSERVER.CERT)  

Keyring IZUSVR.KEYR01 AFTER changes:

  KEYRING / IZUSVR.KEYR01 LAST CHANGED BY USER002 ON 07/17/20-13:36           
                       DEFAULT(MYSERVER.CERT) RINGNAME(IZUKeyring.IZUDFLT)
  The following certificates are connected to this key ring:                   
  CERTDATA record    Label                             Usage                   
  -----------------  --------------------------------  --------               
  CERTAUTH.INTER2    Intermediate Two                  CERTAUTH                
  CERTAUTH.ZOSMFSRV  zOSMFCA                           CERTAUTH               
  IZUSVR.CERT01      DefaultzOSMFCert.IZUDFLT          PERSONAL                
  MYSERVER.CERT      MyServer User                     PERSONAL               
 PROFILE 

Sample ACFRPTEL JCL to report on USR-USER Profiles which include KEYRING records:

//REPORT  EXEC PGM=ACFRPTEL           
//SYSPRINT DD SYSOUT=*                
//RECMAN1  DD DISP=SHR,DSN=SYS1.MAN1  
//RECMAN2  DD DISP=SHR,DSN=SYS1.MAN2  
//RECMAN3  DD DISP=SHR,DSN=SYS1.MAN3  
//SYSIN    DD *                       
TITLE(ACF2 EL REPORT)                 
DETAIL                                
TYPE(USR)                             
CHANGES                               
//*                                    
/*                                    

Report output reflecting the changes:

DATE 07/17/20 (20.199) TIME 13.36 ACF2 EL REPORT                               
    DATE     TIME        JNAME    LID      MODULE   FUNCTION CPU  C-TYP-NAME
    FIELD       OLD VALUE                NEW VALUE                             
                                                                               
20.199 07/17 13:35       USER002  USER002  ACF0AENT REPLACE  SYSA P-USR-KEYRING
    CERTDATA     C-CERTAUTH.ZOSMFSRV,     C-CERTAUTH.INTER2,                   
                 P-IZUSVR.CERT01          C-CERTAUTH.ZOSMFSRV,                 
                                          P-IZUSVR.CERT01                      

20.199 07/17 13:35       USER002  USER002  ACF0AENT REPLACE  SYSA P-USR-CERTDATA
    KEYRING      MYLDAP.RING              IZUSVR.KEYR01,                       
                                          MYLDAP.RING                          
                                                                               

20.199 07/17 13:35       USER002  USER002  ACF0AENT REPLACE  SYSA P-USR-KEYRING
    CERTDATA     C-CERTAUTH.INTER2,       C-CERTAUTH.INTER2,
                 C-CERTAUTH.ZOSMFSRV,     C-CERTAUTH.ZOSMFSRV,                 
                 P-IZUSVR.CERT01          P-IZUSVR.CERT01,                     
                                          P-MYSERVER.CERT                      

20.199 07/17 13:35       USER002  USER002  ACF0AENT REPLACE  SYSA P-USR-CERTDATA
    KEYRING      MYLDAP.RING              IZUSVR.KEYR01,
                                          MYLDAP.RING                         
                                                                               
20.199 07/17 13:36       USER002  USER002  ACF0AENT REPLACE  SYSA P-USR-KEYRING
    DEFAULT      IZUSVR.CERT01            MYSERVER.CERT     

Additional Information

Details on the ACFRPTEL report can be found in section: 'ACFRPTEL - Infostorage Update Log' of the ACF2 documentation.