Bulk ACF2 digital certificate cleanup considerations/best practices

book

Article ID: 236773

calendar_today

Updated On:

Products

ACF2 ACF2 - MISC ACF2 - z/OS

Issue/Introduction

There are many certificates and certificate authorities that have expired over the years on a system which are now starting to create excessive messages in the system logs whenever the following keyring refresh commands are issued:

F ACF2,REBUILD(USR),CLASS(P),DIVISION(KEYRING)

F ACF2,OVMS

What is the best way to perform the cleanup without causing any risk? The REMOVE CERTDATA command can be used to remove them from the keyring but removing them all at once even though they have expired is still nerve wracking.

Are there any suggestions to perform a certificate cleanup in the safest way possible?

Environment

Release : 16.0

Component : ACF2 for z/OS

Resolution

During a mass cleanup of ACF2 digital certificate records, removal from the keyring followed by eventual deletion is the most risk averse way to go about cleaning up expired certificates. Taking it one step further would include changing the certificate to specify NOTRUST and leaving it that way for some time before removal from the keyring.

Note that the alternative/quickest method would be to delete the CERTDATA record. Upon deletion of a CERTDATA record, ACF2 provides automation to remove the certificate from any keyrings they were attached to. If taking this path, then PTF LU04678 is needed to assure that orphan pointers aren't left behind on the keyring. These orphan pointers would create an issue with the reading of a keyring if they occur. Orphan pointers are identified by the following error message when listing the contents of a keyring:

ACF0A005 RECORD(S) NOT FOUND
Error encountered reading CERTDATA record: certowner.suffix

Even though it's more tedious, removal from the keyring using REMOVE CERTDATA eliminates the risk mentioned above. This is the suggested method if going through a rather large cleanup in a risk averse environment.

Be aware that the removal from the keyring will not prevent the ACF79464 messages seen in the system logs, only deletion of the certificates will do that.