X-Posted RACF-L and IBM-MAIN
Did you ever wish for a simple way to get your arms around all of your RACF*
digital certificates, without it being a project of its own? Without having to
learn a sequence of complex commands? VUECERTS is the answer!
VUECERTS is a free certificate discovery program for z/OS. Unlike native RACF
commands, VUECERTS provides a complete inventory of all of your certificates,
and there is no command syntax to learn.
The RACF certificate commands are notoriously difficult to master. Further,
there simply IS no combination of commands that will give you a complete
inventory of all of your certificates, nor any way to see the relationships
among your certificates – essential for effective certificate management.
With VUECERTS you simply type one command – TSO VUECERTS – from any ISPF prompt
and get back a complete inventory of all of your RACF certificates. Your
certificates are displayed in their PKI hierarchy, clearly showing the
relationship of each endpoint certificate to its intermediate and root
certificates. Each certificate is shown with its essential details: userid,
label, abbreviated subject name, and expiration details. You also get warnings
for imminent certificate expirations and other anomalous conditions. Here’s an
example of a PKI hierarchy:
CERTAUTH 'DigiCert Global Root G2'
|
CERTAUTH 'DigiCert Global G2 RSA 2020 CA1'
|
JES2UID 'PRODDC.SERVER.AUG2024'
|
JES2UID 'PRODDCDIGICERTSEPT2020'
Further, certificates are grouped by the status of their root certificates. For
example, certificates dependent on an expired root are clearly indicated. There
is no learning curve: certificates are displayed in an ISPF VIEW panel, so you
can use familiar commands like FIND to locate particular keywords, subject
names, userids or dates.
VUECERTS also discovers all of your keyrings, and clearly shows both the
certificates connected to each keyring, and for each certificate, the keyrings
to which it is connected.
If you want more detail about any certificate, all you have to do is put the
cursor on the line and hit a PF key – and you get the full RACDCERT LIST for
the certificate. You can even get template RACDCERT commands for each
certificate – easy to edit into a LIST, LISTCHN, ALTER or DELETE command.
No APF authorization. RACF SPECIAL not required, only three specific RACF
permissions as specified in the documentation. VUECERTS does not examine or
process private keys.
*VUECERTS at this time is supported for RACF and gskkyman certificate stores
only. We are actively seeking partners to test VUECERTS with the Broadcom
security products.
How do you get VUECERTS? Sam Golob has graciously worked with me to make it
CBTTAPE.ORG file number 1067. VUECERTS is written in C++, but the executable
load module as well as the source and instructions for building are included in
the CBT download.
One of the things I am not crazy about with the CBT Tape is that if you want to
see the documentation you have to download the file, unzip it, upload it to
your z/OS and then RECEIVE it. So here’s a limited time offer that I hope I
won’t regret: send me a note off-list and I will send you the documentation in
PDF format.
Enjoy!
Charles Mills
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
