RACF_CERTIFICATE_EXPIRATION Health Check
SueMarcotte 120000ACP0 Visits (4421)
An example of the health check display:
Certificates Expiring within 60 Days
S Cert Owner Certificate Labe
- ------------ ----
E CERTAUTH CA certificate for CICS server 2015-09-29 Yes 2
E ID(WEBADM) R13 ECC RPD4 SSL Cert
E ID(WTASYS) Defa
E ID(WT4SAR0) Defa
ID(SETUP) Client cert for CICS workload 2015-10-03 No 0
E ID(WTAW1) Defa
E ID(WT4ACRU) Defa
ID(SETUP) Client cert for JA0 CICS 2015-11-27 No 0
In the example above, we issued the display on 10/02/2015. The ‘E’ in the S column indicates there is an exception for this certificate. For example, the first certificate in the list has an ‘E’ in the S, status column. In this case, the certificate has already expired. There are other certificates listed with exceptions for example, the one with the label Client cert for JA0 CICS, that will expire on 11/27/2015. You’ll notice that some certificates are listed but are not marked as exceptions. This is because these certificates are not trusted.
When this health check was first made available, we had many expired certificates as a result of years of testing. Using the information in this health check we were able to clean up our certificate database on both of our plexes. At this point in time, we revisit the health check every month to monitor the RACF certificates. We let the number of DAYS default to 60 as we think it’s an adequate amount of time for those who own the certificates to take action on them whether it’s to regenerate new ones so there is no disruption of service or perhaps to delete them, if they are no longer in use.
We find this health check very beneficial to our environment as it gives us one place to view RACF certificates which have expired or will expire soon. This allows us to better manage our certificates to prevent disruption of service and to remove those certificates which are no longer in use.