RACDCERT REMOVE (Remove certificate from key ring)

Purpose

Use the RACDCERT REMOVE command to remove a digital certificate from a key ring.

See UTF-8 and BMP character restrictions for information about how UTF-8 and BMP characters in certificate names and labels are processed by RACDCERT functions.

Issuing options

The following table identifies the eligible options for issuing the RACDCERT REMOVE command:
As a RACF® TSO command? As a RACF operator command? With command direction? With automatic command direction? From the RACF parameter library?
Yes No No. (See rules.) No. (See rules.) No
Rules: The following rules apply when issuing this command.
  • The RACDCERT command cannot be directed to a remote system using the AT or ONLYAT keyword.
  • The updates made to the RACF database by RACDCERT are eligible for propagation with automatic direction of application updates based on the RRSFDATA profiles AUTODIRECT.target-node.DIGTCERT.APPL and AUTODIRECT.target-node.DIGTRING.APPL, where target-node is the remote node to which the update is to be propagated.

Authorization required

To issue the RACDCERT REMOVE command, you must have the following authorizations:
  • Start of changeThe SPECIAL attribute, or End of change
  • Start of changeSufficient authority to the IRR.DIGTCERT.REMOVE resource in the FACILITY class, as shown in Table 1, orEnd of change
  • Start of changeSufficient authority to the appropriate resources in the RDATALIB class, as shown in Table 2, if Granular Authority Checking has been enabled by defining the IRR.RACDCERT.GRANULAR resource in the RDATALIB class.End of change
Table 1. Authority required for the RACDCERT REMOVE function under the FACILITY class
Access level Purpose
READ Remove a certificate from your own key ring.
UPDATE Remove a SITE or CERTAUTH certificate from your own key ring.
CONTROL Remove a certificate from another user's key ring.
Start of change
Table 2. Authority required for the RACDCERT REMOVE function under the RDATALIB class when IRR.RACDCERT.GRANULAR is defined
READ access to the resource based on cert owner and cert label, ring owner and ring name * Purpose

IRR.DIGTCERT.<cert owner>.<cert label>.LST.REMOVE
and <ring owner>.<ring name>.UPD.REMOVE

 Remove a certificate with a specified <cert label> owned by <cert owner> from a key ring with specified <ring name> owned by <ring owner>
End of change
* 'cert owner' is the RACF user ID, or CERTIFAUTH (for CERTAUTH), or SITECERTIF (for SITE); ring owner is the RACF user ID

Activating your changes

If the DIGTCERT or DIGTRING class is RACLISTed, refresh the classes to activate your changes.

Example: 
SETROPTS RACLIST(DIGTCERT, DIGTRING) REFRESH

Related commands

  • To connect a certificate to a key ring, see RACDCERT CONNECT.
  • To list a key ring, see RACDCERT LISTRING.

Syntax

For the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the RACDCERT REMOVE command is:

If you specify more than one RACDCERT function, only the last specified function is processed. Extraneous keywords that are not related to the function being performed are ignored.

If you do not specify a RACDCERT function, LIST is the default function.

For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.

Parameters

REMOVE(ID(certificate-owner) LABEL('label-name') RING(ring-name))
REMOVE(SITE LABEL('label-name') RING(ring-name))
REMOVE(CERTAUTH LABEL('label-name') RING(ring-name))
Specifies the digital certificate to be removed from the key ring.

ID(certificate-owner) indicates that the certificate being removed is a user certificate, and certificate-owner is the user ID associated with this certificate. SITE indicates that the certificate being removed is a site certificate, and CERTAUTH indicates that it is a certificate authority certificate. If ID, SITE or CERTAUTH are not specified, ID(certificate-owner) defaults to the key ring owner as specified or defaulted by the ID(ring-owner) keyword.

LABEL('label-name')
Identifies the certificate that is being removed from the key ring. You must specify a label.
RING(ring-name)
Identifies the key ring from which this certificate is being removed. You must specify a ring name. Note: The key ring belongs to the ID specified or defaulted by the ID(ring-owner) keyword.
ID(ring-owner)
Specifies the user ID of the key ring owner. (Only a user ID can have a key ring.) If not specified, the key ring owner defaults to the command issuer's user ID.

Examples

Example Activity label Description
1 Operation User RACFADM wants to remove a SITE certificate with the label Shared Server from the RING01 key ring of server INVSERV.
Known User RACFADM has SPECIAL authority.
Command 
RACDCERT ID(INVSERV) REMOVE(SITE LABEL(’Shared Server’) RING(RING01))
Output None.
Parent topic: RACF command syntax