Purpose
Use
the RACDCERT LISTCHAIN command to display information about a digital
certificate and its issuer chain of certificates in the RACF database.
The
specified certificate, identified by the LABEL keyword, may be owned
by SITE, CERTAUTH, or a user ID. After finding that certificate, RACF
will search its database under the same owning user ID to locate the
issuer's certificate. If it is not found, RACF will search under CERTAUTH
for the issuer's certificate, and its issuers. A certificate chain
is considered incomplete if RACF is unable to follow the chain back
to a self-signed 'root' certificate.
The information displayed
by LISTCHAIN, for each certificate, is similar to that displayed by
LIST. The certificate identified by the specified label appears first,
followed in order by its chain of issuers. At the end, LISTCHAIN includes
the following summary information:
- The number of certificates in the displayed chain.
- The chain is complete or incomplete.
- The chain contains any NOTRUST or expired certificates.
- Any common rings to which all certificates in the chain are connected.
Issuing options
The following table identifies
the eligible options for issuing the RACDCERT LISTCHAIN command:
| As a RACF® TSO command? |
As a RACF operator command? |
With command direction? |
With automatic command direction? |
From the RACF parameter library? |
|---|
| Yes |
No |
No. (See rules.) |
No. (See rules.) |
No |
Rules: The
following rules apply when issuing this command. - The RACDCERT command cannot be directed to a remote system using
the AT or ONLYAT keyword.
- The updates made to the RACF database
by RACDCERT are eligible for propagation with automatic direction
of application updates based on the RRSFDATA profiles AUTODIRECT.target-node.DIGTCERT.APPL
and AUTODIRECT.target-node.DIGTRING.APPL,
where target-node is the remote node to
which the update is to be propagated.
|
Authorization required
To
issue the RACDCERT LISTCHAIN command, you must have CONTROL access
to the IRR.DIGTCERT.LIST resource in the FACILITY class.
If
the user does not have CONTROL access to IRR.DIGTCERT.LIST, IRRD101I
will be issued.
If any certificate in the chain has the ECC
key type, READ access to CSF1PKV, CSF1TRC, CSF1TRD and CSFOWH resources
in the CSFSERV class is required.
Related commands
- To list digital certificate information, see RACDCERT LIST.
- To list a key ring, see RACDCERT LISTRING.
- To list a token, see RACDCERT LISTTOKEN.
Syntax
For the key to
the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the RACDCERT
LISTCHAIN command is:
| |
|---|
| RACDCERT [ ID(certificate-owner)|
SITE | CERTAUTH] |
| LISTCHAIN (LABEL('label-name'))
|
If you do not specify a RACDCERT function, LIST is
the default function.
For information on
issuing this command as a RACF TSO
command, refer to RACF TSO commands.
Parameters
- LISTCHAIN(LABEL('label-name'))
-
If
the user has only one certificate, the LABEL keyword and its associated
value can be omitted.
For a description of label-name,
see the description of the WITHLABEL keyword for RACDCERT ADD.
Note: If
the certificate was created using a previous z/OS release of RACF
that did not support certificate labels, the certificate listing will
contain the following output: No label assigned
Examples
| |
|
|
|---|
| Example 1 |
Operation |
User CHOI requests the listing of all certificates. |
| Known |
User CHOI has been given CONTROL access to profile
IRR.DIGTCERT.LIST in the FACILITY class. |
| Command |
RACDCERT LISTCHAIN(LABEL('samplecert')) |
| Output |
See Figure 1. |
| |
| Example 2 |
Operation |
User CHOI requests the listing of all certificates:
There are expired and NOTRUST certificates. |
| Known |
User CHOI has been given CONTROL access to profile
IRR.DIGTCERT.LIST in the FACILITY class. |
| Command |
RACDCERT LISTCHAIN(LABEL('samplecert')) |
| Output |
See Figure 2. |
| |
Figure 1. Output for the RACDCERT LISTCHAIN command showing all the certificates
(based on RACDCERT LISTCHAIN: Example 1)Certificate 1:
Digital certificate information for user CHOI:
Label: samplecert
Certificate ID: 2QbmxsPI1smJl4OFmaPy
Status: TRUST
Start Date: 2011/10/20 00:00:00
End Date: 2012/10/20 23:59:59
Serial Number:
>05<
Issuer's Name:
>CN=sampleCA.O=Test.SP=Poughkeepsie.C=US<
Subject's Name:
>CN=samplecert.O=Test.SP=Poughkeepsie.C=US<
Subject's AltNames:
IP: 127.0.0.5
EMail: choi at us.ibm.com
Domain: www.ibm.com
Signing Algorithm: sha1RSA
Key Usage: HANDSHAKE
Key Type: RSA
Key Size: 1024
Private Key: Yes
PKDS Label: SAMPLECERT
Ring Associations:
Ring Owner: CHOI
Ring:
>testring<
Certificate 2:
Digital certificate information for CERTAUTH:
Label: sampleCA
Certificate ID: 2PabcsPI1smJl4OFmaPx
Status: TRUST
Start Date: 2010/03/22 00:00:00
End Date: 2020/10/22 23:59:59
Serial Number:
>02<
Issuer's Name:
>CN=MasterCA.O=Test.SP=Poughkeepsie.C=US<
Subject's Name:
>CN=sampleCA.O=Test.SP=Poughkeepsie.C=US<
Signing Algorithm: sha256RSA
Key Usage: CERTSIGN
Key Type: RSA
Key Size: 2048
Private Key: Yes
PKDS Label: SAMPLECA
Ring Associations:
Ring Owner: CHOI
Ring:
>testring<
Certificate 3:
Digital certificate information for CERTAUTH:
Label: MasterCA
Certificate ID: 2KbmxsPI1smJl4OFmaPm
Status: TRUST
Start Date: 2008/04/20 00:00:00
End Date: 2038/04/20 23:59:59
Serial Number:
>00<
Issuer's Name:
>CN=MasterCA.O=Test.SP=Poughkeepsie.C=US<
Subject's Name:
>CN=MasterCA.O=Test.SP=Poughkeepsie.C=US<
Signing Algorithm: sha256RSA
Key Usage: CERTSIGN
Key Type: RSA
Key Size: 4096
Private Key: Yes
PKDS Label: MASTERCA
Ring Associations:
Ring Owner: CHOI
Ring:
>testring<
Chain information:
Chain contains 3 certificate(s), chain is complete
Chain contains ring in common: CHOI/testring
Figure 2. Output
for the RACDCERT LISTCHAIN command showing all the certificates, there
are expired and NOTRUST certificates (based on RACDCERT LISTCHAIN
command: Example 2)Certificate 1:
Digital certificate information for user CHOI:
Label: samplecert
Certificate ID: 2QbmxsPI1smJl4OFmaPy
Status: TRUST
Start Date: 2010/10/20 00:00:00
End Date: 2011/10/20 23:59:59
Serial Number:
>05<
Issuer's Name:
>CN=sampleCA.O=Test.SP=Poughkeepsie.C=US<
Subject's Name:
>CN=samplecert.O=Test.SP=Poughkeepsie.C=US<
Subject's AltNames:
IP: 127.0.0.5
EMail: choi at us.ibm.com
Domain: www.ibm.com
Signing Algorithm: sha1RSA
Key Usage: HANDSHAKE
Key Type: RSA
Key Size: 1024
Private Key: Yes
PKDS Label: SAMPLECERT
Ring Associations:
Ring Owner: CHOI
Ring:
>testring<
Certificate 2:
Digital certificate information for CERTAUTH:
Label: sampleCA
Certificate ID: 2PabcsPI1smJl4OFmaPx
Status: NOTRUST
Start Date: 2010/03/22 00:00:00
End Date: 2020/10/22 23:59:59
Serial Number:
>02<
Issuer's Name:
>CN=MasterCA.O=Test.SP=Poughkeepsie.C=US<
Subject's Name:
>CN=sampleCA.O=Test.SP=Poughkeepsie.C=US<
Signing Algorithm: sha256RSA
Key Usage: CERTSIGN
Key Type: RSA
Key Size: 2048
Private Key: Yes
PKDS Label: SAMPLECA
Ring Associations:
Ring Owner: CHOI
Ring:
>testring<
Certificate 3:
Digital certificate information for CERTAUTH:
Label: MasterCA
Certificate ID: 2KbmxsPI1smJl4OFmaPm
Status: TRUST
Start Date: 2008/04/20 00:00:00
End Date: 2038/04/20 23:59:59
Serial Number:
>00<
Issuer's Name:
>CN=MasterCA.O=Test.SP=Poughkeepsie.C=US<
Subject's Name:
>CN=MasterCA.O=Test.SP=Poughkeepsie.C=US<
Signing Algorithm: sha256RSA
Key Usage: CERTSIGN
Key Type: RSA
Key Size: 4096
Private Key: Yes
PKDS Label: MASTERCA
Ring Associations:
Ring Owner: CHOI
Ring:
>testring<
Chain information:
Chain contains 3 certificate(s), chain is complete
Chain contains ring in common: CHOI/testring
Chain contains NOTRUST certificate(s)
Chain contains expired certificate(s)
z/OS Security Server RACF Command Language Reference
Copyright IBM Corporation 1990, 2014