z/OS Security Server RACF Command Language Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


RACDCERT LISTTOKEN (List token)

z/OS Security Server RACF Command Language Reference
SA23-2292-00

Purpose

Use the RACDCERT LISTTOKEN command to display information about the certificate objects in a z/OS® PKCS #11 token.

Issuing options

The following table identifies the eligible options for issuing the RACDCERT LISTTOKEN command:
As a RACF® TSO command? As a RACF operator command? With command direction? With automatic command direction? From the RACF parameter library?
Yes No No. (See rules.) No. (See rules.) No
Rules: The following rules apply when issuing this command.
  • The RACDCERT command cannot be directed to a remote system using the AT or ONLYAT keyword.
  • The updates made to the RACF database by RACDCERT are eligible for propagation with automatic direction of application updates based on the RRSFDATA profiles AUTODIRECT.target-node.DIGTCERT.APPL and AUTODIRECT.target-node.DIGTRING.APPL, where target-node is the remote node to which the update is to be propagated.

Authorization required

To issue the RACDCERT LISTTOKEN command, you must have the following authorizations:
  • The SPECIAL attribute, or sufficient authority to the IRR.DIGTCERT.LIST resource in the FACILITY class based on the certificate owner.
  • When your installation controls access to ICSF services and the CSFSERV class is active, READ access to the CSF1GAV and CSF1TRL resources in the CSFSERV class.
  • Sufficient authority to the appropriate resources in the CRYPTOZ class.

    For details about CRYPTOZ and CSFSERV resources, see z/OS Cryptographic Services ICSF Administrator's Guide.

If you are not authorized by ICSF (through the CRYPTOZ class) to read the specified token, the command stops and an error message is displayed. If you are authorized to read the specified token but not authorized by RACF (through the FACILITY class) to list the RACF certificates, the output listing contains token information but no certificate information.
Table 1. Authority required for the RACDCERT LISTTOKEN function
Your own certificate Another user's certificate SITE or CERTAUTH certificate
Sufficient authority to CRYPTOZ resources, and READ authority to IRR.DIGTCERT.LIST Sufficient authority to CRYPTOZ resources, and UPDATE authority to IRR.DIGTCERT.LIST Sufficient authority to CRYPTOZ resources, and CONTROL authority to IRR.DIGTCERT.LIST

Related commands

  • To list a certificate, see RACDCERT LIST.
  • To list a key ring, see RACDCERT LISTRING.

Syntax

For the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the RACDCERT LISTTOKEN is:

Note: The ID(certificate-owner) | SITE | CERTAUTH parameter is ignored for this RACDCERT function.

If you specify more than one RACDCERT function, only the last specified function is processed. Extraneous keywords that are not related to the function being performed are ignored.

If you do not specify a RACDCERT function, LIST is the default function.

For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.

Parameters

LISTTOKEN(token-name | * )
To list all tokens that the command issuer is authorized to access, specify LISTTOKEN (*).
For each certificate object in the token that the command issuer is authorized to access with at least READ authority, the following information is displayed:
  • The token name
  • The sequence number of the certificate object in the token
  • The DEFAULT status of the certificate within the token
  • The status indicating whether the certificate has an associated private key
  • The status indicating whether the certificate has an associated public key
  • The certificate's usage within the token (PERSONAL, SITE or CERTAUTH)
  • The ICSF token data set (TKDS) label assigned to the certificate object.
  • If the certificate is installed in RACF, the RACF label of the certificate.
  • If the certificate is installed in RACF, the owner of the certificate is listed as one of the following values:
    • ID(certificate-owner)
    • CERTAUTH
    • SITE

Examples

     
Example 1 Operation The security administrator wants to display information for all certificate objects in the z/OS PKCS #11 token called VENDOR.TOKEN.
Known
Commands RACDCERT LISTTOKEN(VENDOR.TOKEN)
Output See Figure 1.
Figure 1. Output of RACF details from the RACDCERT LISTTOKEN command
RACDCERT LISTTOKEN(VENDOR.TOKEN)

Token: VENDOR.TOKEN

 Seq Num  Attributes                       Labels
 -------- -------------------------------  --------------------------------------
        1 Default: YES   Priv Key: SECURE  TKDS: HTTP Serv
          Usage: PERSONAL Pub Key: YES     RACF: Webserver Cert
          Owner: ID(WEBSRV)

        3 Default: NO    Priv Key: NONE    TKDS: Extranet CA
          Usage: CERTAUTH Pub Key: NONE    RACF: Extranet CA   
          Owner: CERTAUTH

        4 Default: NO    Priv Key: CLEAR   TKDS: Code signing certificate
          Usage: PERSONAL Pub Key: NONE
Parent topic: RACF command syntax

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014