z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Examples of checking digital certificate information

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

  1. User NETADMN has a digital certificate in a data set, and is uncertain who it belongs to, and whether or not it has been defined. The digital certificate is in data set 'NETADMN.SOMEONZ.CERT'. NETADMN has UPDATE authority to the FACILITY class resource IRR.DIGTCERT.LIST. He issues the following RACDCERT, and the output he receives indicates that it has already been defined for user GTM: 
    RACDCERT CHECKCERT('NETADMN.SOMEONZ.CERT')

  Digital certificate information for user GTM:

   Label: LABEL00000001
   Certificate ID: 2QPH49TH49RAw4WZo4mGiYOBo4VA
   Status: NOTRUST
   Start Date: 2010/11/11 00:00:00              
   End Date:  2011/11/11 23:59:59                
   Serial Number:
        >84<
   Issuer's Name:
        >CN=BobsBank Class 2<
   Subject's Name:
        >loanOf@BobsBank.com.CN=G.T.Miles.T=President.OU=Loans.O=BobsBank,INC<
        >..SP=NY.L=Internet.C=USA<
   Signing Algorithm: sha1RSA
   Key Type: RSA
   Key Size: 1024
   Private Key: NO
  2. User USERA finds a digital certificate and is uncertain who it belongs to, and whether or not it has been defined to RACF®. The digital certificate is contained in data set 'NETADMN.SOMEONZ.CERT' and is associated with user GTM. USERA has READ authority to the data set 'NETADMN.SOMEONZ.CERT'. He issues the following RACDCERT command. The output he receives reflects only the certificate information contained in the data set, and does not include certificate information contained in the RACF database. Note that the listing contains the same level of information that NETADMN receives in Example 3.
    RACDCERT CHECKCERT('NETADMN.SOMEONZ.CERT')

   Start Date: 2010/11/11 00:00:00              
   End Date:  2011/11/11 23:59:59                
   Serial Number:
        >84<
   Issuer's Name:
        >CN=BobsBank Class 2<
   Subject's Name:
        >loanOf@BobsBank.com.CN=G.T.Miles.T=President.OU=Loans.O=BobsBank,INC<
        >..SP=NY.L=Internet.C=USA<
   Signing Algorithm: sha1RSA
  3. User NETADMN has a digital certificate in a data set, and is uncertain who it belongs to, and whether or not it has been defined. The digital certificate is in data set 'NETADMN.SOMELSZ.CERT'. NETADMN has CONTROL authority to the FACILITY class resource IRR.DIGTCERT.LIST. He issues the following RACDCERT command, and the output he receives indicates that the certificate is not associated with a user ID. 
    RACDCERT CHECKCERT('NETADMN.SOMELSZ.CERT')

   Start Date: 2010/03/18 14:58:37
   End Date:   2011/03/17 14:58:37
   Serial Number:
        >79<
   Issuer's Name:
        >CN=BobsBank Class 2<
   Subject's Name:
        >brchMGR@BobsBank.com.CN=J. Miles.T=Manager.OU=Branch2.O=BobsBank,INC<
        >..SP=NY.L=Internet.C=USA<
   Signing Algorithm: sha1RSA

     

  4. User NETADMN has a chain of digital certificates in a data set, and wants to know if the digital certificates are defined to RACF. The digital certificates are in data set 'NETADMN.SOMECHN.CERT'. NETADMN has CONTROL authority to the FACILITY class resource IRR.DIGTCERT.LIST. He issues the following RACDCERT command, and the output he receives indicates that the certificates are not in RACF, because the Label, Certificate ID, and Status fields are not shown for any of them.
    RACDCERT CHECKCERT('NETADMN.SOMECHN.CERT')

Certificate 1:
Start Date: 2011/10/20 00:00:00
End Date: 2012/10/20 23:59:59
Serial Number:
     >05<
Issuer's Name:
     >CN=sampleCA.O=Test.SP=Poughkeepsie.C=US<
Subject's Name:
     >CN=samplecert.O=Test.SP=Poughkeepsie.C=US<
Subject's AltNames:
IP: 127.0.0.5
EMail: choi at us.ibm.com
Domain: www.ibm.com
Signing Algorithm: sha1RSA
Key Usage: HANDSHAKE
Key Type: RSA
Key Size: 1024

Certificate 2:
Start Date: 2010/03/22 00:00:00
End Date: 2020/10/22 23:59:59
Serial Number:
     >02<
Issuer's Name:
     >CN=MasterCA.O=Test.SP=Poughkeepsie.C=US<
Subject's Name:
     >CN=sampleCA.O=Test.SP=Poughkeepsie.C=US<
Signing Algorithm: sha256RSA
Key Usage: CERTSIGN
Key Type: RSA
Key Size: 2048

Certificate 3:
Start Date: 2008/04/20 00:00:00
End Date:   2038/04/20 23:59:59
Serial Number:
     >00<
Issuer's Name:
     >CN=MasterCA.O=Test.SP=Poughkeepsie.C=US<
Subject's Name:
     >CN=MasterCA.O=Test.SP=Poughkeepsie.C=US<
Signing Algorithm: sha256RSA
Key Usage: CERTSIGN
Key Type: RSA
Key Size: 4096

Chain information:
Chain contains 3 certificate(s), chain is complete
  5. User NETADMN has a chain of digital certificates in a data set, and wants to know if the digital certificates are defined to RACF. The digital certificates are in data set 'NETADMN.SOMECHN.CERT'. NETADMN has CONTROL authority to the FACILITY class resource IRR.DIGTCERT.LIST. He issues the following RACDCERT command, and the output he receives indicates that only the end-entity certificate is in RACF, because the Label, Certificate ID, and Status fields are shown for that certificate but not the others. The output also shows that the end-entity certificate has expired, because the end date is before the current date.
    RACDCERT CHECKCERT('NETADMN.SOMECHN.CERT')

Certificate 1:
Digital certificate information for user CHOI:

   Label: samplecert
   Certificate ID: 2QbmxsPI1smJl4OFmaPy
   Status: TRUST
   Start Date: 2010/10/20 00:00:00
   End Date:   2011/10/20 23:59:59
   Serial Number:
        >05<
   Issuer's Name:
        >CN=sampleCA.O=Test.SP=Poughkeepsie.C=US<
   Subject's Name:
        >CN=samplecert.O=Test.SP=Poughkeepsie.C=US<
   Subject's AltNames:
        IP: 127.0.0.5
        EMail: choi at us.ibm.com
        Domain: www.ibm.com
   Signing Algorithm: sha1RSA
   Key Usage: HANDSHAKE
   Key Type: RSA
   Key Size: 1024
   Private Key: Yes
   PKDS Label: SAMPLECERT

Certificate 2:
   Start Date: 2010/03/22 00:00:00
   End Date:   2020/10/22 23:59:59
   Serial Number:
        >02<
   Issuer's Name:
        >CN=MasterCA.O=Test.SP=Poughkeepsie.C=US<
   Subject's Name:
     >CN=sampleCA.O=Test.SP=Poughkeepsie.C=US<
   Signing Algorithm: sha256RSA
   Key Usage: CERTSIGN
   Key Type: RSA
   Key Size: 2048

Certificate 3:
   Start Date: 2008/04/20 00:00:00
   End Date:   2038/04/20 23:59:59
   Serial Number:
        >00<
   Issuer's Name:
        >CN=MasterCA.O=Test.SP=Poughkeepsie.C=US<
   Subject's Name:
        >CN=MasterCA.O=Test.SP=Poughkeepsie.C=US<
   Signing Algorithm: sha256RSA
   Key Usage: CERTSIGN
   Key Type: RSA
   Key Size: 4096

Chain information:
   Chain contains 3 certificate(s), chain is complete
   Chain contains expired certificate(s)
  6. User NETADMN has a chain of digital certificates in a data set, and wants to know if the digital certificates are defined to RACF. The digital certificates are in data set 'NETADMN.SOMECHN.CERT'. NETADMN has CONTROL authority to the FACILITY class resource IRR.DIGTCERT.LIST. He issues the following RACDCERT command, and the output he receives indicates that the certificates are not in RACF, because the Label, Certificate ID, and Status fields are not shown for any of them. The output also shows that the signature on certificate 2 is not valid.
    RACDCERT CHECKCERT('NETADMN.SOMECHN.CERT')

Certificate 1:
   Start Date: 2011/10/20 00:00:00
   End Date:   2012/10/20 23:59:59
   Serial Number:
        >05<
   Issuer's Name:
        >CN=sampleCA.O=Test.SP=Poughkeepsie.C=US<
   Subject's Name:
        >CN=samplecert.O=Test.SP=Poughkeepsie.C=US<
   Subject's AltNames:
        IP: 127.0.0.5
        EMail: choi at us.ibm.com
        Domain: www.ibm.com
   Signing Algorithm: sha1RSA
   Key Usage: HANDSHAKE
   Key Type: RSA
   Key Size: 1024
        Private Key: No

Certificate 2:
   Start Date: 2010/03/22 00:00:00
   End Date:   2020/10/22 23:59:59
   Serial Number:
        >02<
   Issuer's Name:
        >CN=MasterCA.O=Test.SP=Poughkeepsie.C=US<
   Subject's Name:
        >CN=sampleCA.O=Test.SP=Poughkeepsie.C=US<
   Signing Algorithm: sha256RSA
   Key Usage: CERTSIGN
   Key Type: RSA
   Key Size: 2048
   Private Key: No

IRRD302I Processing terminated. Problem found in certificate 2 in the
dataset.
IRRD112I The certificate that you are processing does not have a
valid signature.
  7. User NETADMN has a chain of digital certificates in a data set, and wants to know if the digital certificates are defined to RACF. The digital certificates are in data set 'NETADMN.SOMECHN.CERT'. NETADMN has CONTROL authority to the FACILITY class resource IRR.DIGTCERT.LIST. He issues the following RACDCERT command, and the output he receives indicates that certificate 1 is not in RACF, because the Label, Certificate ID, and Status fields are not shown for it. The output also shows that the name on certificate 2 contains a character that is not valid. Certificate 2 is not displayed, and processing of the command stops.
    Certificate 1:
   Start Date: 2011/10/20 00:00:00
   End Date:   2012/10/20 23:59:59
   Serial Number:
        >05<
   Issuer's Name:
        >CN=sampleCA.O=Test.SP=Poughkeepsie.C=US<
   Subject's Name:
         >CN=samplecert.O=Test.SP=Poughkeepsie.C=US<
   Subject's AltNames:
        IP: 127.0.0.5
        EMail: choi at us.ibm.com
        Domain: www.ibm.com
   Signing Algorithm: sha1RSA
   Key Usage: HANDSHAKE
   Key Type: RSA
   Key Size: 1024
   Private Key: No

IRRD302I Processing terminated. Problem found in certificate 2 in the
dataset.
IRRD182I Unexpected character encountered.
Parent topic: Using the RACDCERT command to administer certificates

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014