Purpose
Use
the RACDCERT LISTTOKEN command to display information about the certificate
objects in a z/OS® PKCS #11
token.
Issuing options
The following table identifies
the eligible options for issuing the RACDCERT LISTTOKEN command:
As a RACF® TSO command? |
As a RACF operator command? |
With command direction? |
With automatic command direction? |
From the RACF parameter library? |
---|
Yes |
No |
No. (See rules.) |
No. (See rules.) |
No |
Rules: The
following rules apply when issuing this command. - The RACDCERT command cannot be directed to a remote system using
the AT or ONLYAT keyword.
- The updates made to the RACF database
by RACDCERT are eligible for propagation with automatic direction
of application updates based on the RRSFDATA profiles AUTODIRECT.target-node.DIGTCERT.APPL
and AUTODIRECT.target-node.DIGTRING.APPL,
where target-node is the remote node to
which the update is to be propagated.
|
Authorization required
To
issue the RACDCERT LISTTOKEN command, you must have the following
authorizations:
If you are not authorized by ICSF (through the CRYPTOZ class)
to read the specified token, the command stops and an error message
is displayed. If you are authorized to read the specified token but
not authorized by RACF (through
the FACILITY class) to list the RACF certificates,
the output listing contains token information but no certificate information.
Table 1. Authority required
for the RACDCERT LISTTOKEN functionYour own certificate |
Another user's certificate |
SITE or CERTAUTH certificate |
---|
Sufficient authority to CRYPTOZ resources, and
READ authority to IRR.DIGTCERT.LIST |
Sufficient authority to CRYPTOZ resources, and
UPDATE authority to IRR.DIGTCERT.LIST |
Sufficient authority to CRYPTOZ resources, and
CONTROL authority to IRR.DIGTCERT.LIST |
Related commands
- To list a certificate, see RACDCERT LIST.
- To list a key ring, see RACDCERT LISTRING.
Syntax
For the key to
the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the RACDCERT
LISTTOKEN is:
RACDCERT LISTTOKEN(token-name |
* ) |
Note: The ID(certificate-owner) | SITE | CERTAUTH parameter
is ignored for this RACDCERT function.
If you specify more than one RACDCERT function, only
the last specified function is processed. Extraneous keywords that
are not related to the function being performed are ignored.
If you do not specify a RACDCERT function, LIST is
the default function.
For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.
Parameters
- LISTTOKEN(token-name |
* )
- To
list all tokens that the command issuer is authorized to access, specify
LISTTOKEN (*).
For each certificate object in the token that the
command issuer is authorized to access with at least READ authority,
the following information is displayed:
- The token name
- The sequence number of the certificate object in the token
- The DEFAULT status of the certificate within the token
- The status indicating whether the certificate has an associated
private key
- The status indicating whether the certificate has an associated
public key
- The certificate's usage within the token (PERSONAL, SITE or CERTAUTH)
- The ICSF token data set (TKDS) label assigned to the certificate
object.
- If the certificate is installed in RACF,
the RACF label of the certificate.
- If the certificate is installed in RACF,
the owner of the certificate is listed as one of the following values:
- ID(certificate-owner)
- CERTAUTH
- SITE
Examples
|
|
|
---|
Example 1 |
Operation |
The security administrator wants to display
information for all certificate objects in the z/OS PKCS #11 token called VENDOR.TOKEN. |
Known |
|
Commands |
RACDCERT LISTTOKEN(VENDOR.TOKEN) |
Output |
See Figure 1. |
Figure 1. Output
of RACF details from the RACDCERT
LISTTOKEN commandRACDCERT LISTTOKEN(VENDOR.TOKEN)
Token: VENDOR.TOKEN
Seq Num Attributes Labels
-------- ------------------------------- --------------------------------------
1 Default: YES Priv Key: SECURE TKDS: HTTP Serv
Usage: PERSONAL Pub Key: YES RACF: Webserver Cert
Owner: ID(WEBSRV)
3 Default: NO Priv Key: NONE TKDS: Extranet CA
Usage: CERTAUTH Pub Key: NONE RACF: Extranet CA
Owner: CERTAUTH
4 Default: NO Priv Key: CLEAR TKDS: Code signing certificate
Usage: PERSONAL Pub Key: NONE