Purpose
Use
the RACDCERT DELETE command to delete a digital certificate.
When
you delete a certificate that is connected to a key ring, the certificate
is automatically removed from the key ring.
Restriction: Because PKCS #11 tokens are managed by ICSF,
not RACF®, when you use the
RACDCERT DELETE command to delete a certificate that is bound in
a token, the corresponding certificate object remains in the token.
The
DELETE function also supports site and certificate-authority certificates,
and the deletion of the private key and other certificate data that
is stored when the certificate was created.
When a user profile
is deleted with the DELUSER command, related DIGTCERT, DIGTRING, and
DIGTNMAP profiles are deleted as a part of DELUSER processing. However,
under some circumstances, residual profiles might not be deleted.
For example, if you issue the DELUSER command from a z/VM® system (which does not support digital
certificates), the profiles might not be deleted. The DELETE, DELRING
and DELMAP keywords for RACDCERT support the specification of a user
ID in order to allow residual certificate information related to the
user ID to be deleted. However, the other RACDCERT functions require
the user ID to be defined to RACF.
See UTF-8 and BMP character restrictions for information about how UTF-8 and BMP characters in certificate
names and labels are processed by RACDCERT functions.
Issuing options
The following table identifies
the eligible options for issuing the RACDCERT DELETE command:
As a RACF TSO command? |
As a RACF operator command? |
With command direction? |
With automatic command direction? |
From the RACF parameter library? |
---|
Yes |
No |
No. (See rules.) |
No. (See rules.) |
No |
Rules: The
following rules apply when issuing this command. - The RACDCERT command cannot be directed to a remote system using
the AT or ONLYAT keyword.
- The updates made to the RACF database
by RACDCERT are eligible for propagation with automatic direction
of application updates based on the RRSFDATA profiles AUTODIRECT.target-node.DIGTCERT.APPL
and AUTODIRECT.target-node.DIGTRING.APPL,
where target-node is the remote node to
which the update is to be propagated.
|
Authorization required
To
issue the RACDCERT DELETE command, you must have the SPECIAL attribute
or sufficient authority to the IRR.DIGTCERT.DELETE resource in the
FACILITY class for your intended purpose, as shown in Table 1.
When your installation
controls access to ICSF services and the CSFSERV class is active,
additional access to CSFSERV resources might be required as follows:
- If the certificate you are deleting has a key stored in the ICSF PKA key data set (PKDS), you
must have READ access to the CSFIQF and CSFPKRD resources.
- If the certificate you are deleting has a key stored
in the ICSF Token Data Set (TKDS), you must have READ access to the
CSFIQF and CSF1TRD resources.
For details about the CSFSERV resources, see z/OS Cryptographic Services ICSF Administrator's Guide.
Table 1. Authority required for the RACDCERT DELETE
functionIRR.DIGTCERT.DELETE |
---|
Access level |
Purpose |
---|
READ |
Delete your own certificate. |
UPDATE |
Delete another user's certificate. |
CONTROL |
Delete a SITE or CERTAUTH certificate. |
Activating your changes
If the DIGTCERT
or DIGTRING class is RACLISTed, refresh the classes to activate your
changes.
Example:
SETROPTS RACLIST(DIGTCERT, DIGTRING) REFRESH
Syntax
For the key to
the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the RACDCERT
DELETE command is:
|
---|
RACDCERT DELETE |
[ (LABEL('label-name')) ]
| [ (SERIALNUMBER(serial-number) [ ISSUERSDN('issuer's-dn') ] ) ] [ ID(certificate-owner) | SITE | CERTAUTH ] [ FORCE ]
|
If you specify more than one RACDCERT function, only
the last specified function is processed. Extraneous keywords that
are not related to the function being performed are ignored.
If you do not specify a RACDCERT function, LIST is
the default function.
For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.
Parameters
- DELETE(LABEL('label-name'))
- DELETE(SERIALNUMBER(serial-number) ISSUERSDN('issuer's-dn'))
- If
the user has only one certificate, the SERIALNUMBER and ISSUERSDN
keywords, or the LABEL keyword, and their associated values can be
omitted. If the user has more than one certificate the LABEL, SERIALNUMBER,
or SERIALNUMBER and ISSUERSDN must be used to select which certificate
to delete.
When specifying the issuer's distinguished name or the
label, you must specify any mixed-case or blank characters exactly
as they appear in the output of the RACDCERT LIST command for the
certificate.
Restriction: The ISSUERSDN keyword is not supported
for lengthy issuer's distinguished names when the name of the certificate's
DIGTCERT profile contains a certificate hash value. For more information
about DIGTCERT profile names, see the "Purpose" topic of RACDCERT
ADD.
For
a description of label-name, see the description
of the WITHLABEL keyword for RACDCERT ADD.
- FORCE
- Specifies that RACF should bypass the following error checking
and unconditionally perform the delete operation.
If you do
not specify FORCE to bypass these conditions, an error message is
issued and the command ends:
- The certificate being deleted has been used to generate a request
through RACDCERT GENREQ.
- The private key associated with the certificate is a secure key
in the PKDS or TKDS, but it no longer exists.
Note: Use this keyword with caution to force the
deletion of a certificate.
- ID(certificate-owner)
| SITE | CERTAUTH
- Specifies that the specified certificate is either a user certificate
associated with the specified user ID, a site certificate, or a certificate-authority
certificate. If you do not specify ID, SITE, or CERTAUTH, the default
is ID, and certificate-owner defaults to
the user ID of the command issuer. If more than one keyword is specified,
the last specified keyword is processed and the others are ignored
by TSO command parse processing.
Examples
|
|
|
---|
Example 1 |
Operation |
User RACFADM wants to delete the
digital certificate labeled Savings Account for user
NETB0Y. |
Known |
User RACFADM has SPECIAL authority. |
Command |
RACDCERT DELETE(LABEL('Savings Account')) ID(NETB0Y)
|
Output |
None. |
Example 2 |
Operation |
User RACFADM does a GENREQ for
certificate labeled Savings Account for user NETB0Y to have it sent
and signed by a Certificate Authority. In order to not allow the certificate
deleted along with its private key until the Certificate Authority
returns the signed certificate, the certificate cannot be deleted
without the FORCE function. |
Known |
User RACFADM has SPECIAL authority. |
Command |
RACDCERT ID (NETB0Y) GENREQ (LABEL('Savings Account')) dsn('Request.cert')
RACDCERT ID (NETB0Y) DELETE (LABEL('Savings Account'))
|
Output |
IRRD198I The certificate
has been used for generating a request. It was not deleted. |