RACDCERT REMOVE (Remove certificate from key ring)

Purpose

Use the RACDCERT REMOVE command to remove a digital certificate from a key ring.

See UTF-8 and BMP character restrictions for information about how UTF-8 and BMP characters in certificate names and labels are processed by RACDCERT functions.

Issuing options

The following table identifies the eligible options for issuing the RACDCERT REMOVE command:

As a RACF® TSO command?	As a RACF operator command?	With command direction?	With automatic command direction?	From the RACF parameter library?
Yes	No	No. (See rules.)	No. (See rules.)	No
Rules: The following rules apply when issuing this command. The RACDCERT command cannot be directed to a remote system using the AT or ONLYAT keyword. The updates made to the RACF database by RACDCERT are eligible for propagation with automatic direction of application updates based on the RRSFDATA profiles AUTODIRECT.target-node.DIGTCERT.APPL and AUTODIRECT.target-node.DIGTRING.APPL, where target-node is the remote node to which the update is to be propagated.

Authorization required

To issue the RACDCERT REMOVE command, you must have the SPECIAL attribute or sufficient authority to the IRR.DIGTCERT.REMOVE resource in the FACILITY class for your intended purpose.

Table 1. Authority required for the RACDCERT REMOVE function
IRR.DIGTCERT.REMOVE
Access level	Purpose
READ	Remove a certificate from your own key ring.
UPDATE	Remove a SITE or CERTAUTH certificate from your own key ring.
CONTROL	Remove a certificate from another user's key ring.

Activating your changes

If the DIGTCERT or DIGTRING class is RACLISTed, refresh the classes to activate your changes.

Example:

SETROPTS RACLIST(DIGTCERT, DIGTRING) REFRESH

Related commands

To connect a certificate to a key ring, see RACDCERT CONNECT.
To list a key ring, see RACDCERT LISTRING.

Syntax

For the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the RACDCERT REMOVE command is:


RACDCERT REMOVE([ID(certificate-owner) \| SITE \| CERTAUTH]
LABEL('label-name') RING(ring-name) ) [ ID(ring-owner) ]

If you specify more than one RACDCERT function, only the last specified function is processed. Extraneous keywords that are not related to the function being performed are ignored.

If you do not specify a RACDCERT function, LIST is the default function.

For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.

Parameters

REMOVE(ID(certificate-owner) LABEL('label-name') RING(ring-name))
REMOVE(SITE LABEL('label-name') RING(ring-name))
REMOVE(CERTAUTH LABEL('label-name') RING(ring-name)): Specifies the digital certificate to be removed from the key ring.
ID(certificate-owner) indicates that the certificate being removed is a user certificate, and certificate-owner is the user ID associated with this certificate. SITE indicates that the certificate being removed is a site certificate, and CERTAUTH indicates that it is a certificate authority certificate. If ID, SITE or CERTAUTH are not specified, ID(certificate-owner) defaults to the key ring owner as specified or defaulted by the ID(ring-owner) keyword.
LABEL('label-name'): Identifies the certificate that is being removed from the key ring. You must specify a label.
RING(ring-name): Identifies the key ring from which this certificate is being removed. You must specify a ring name. Note: The key ring belongs to the ID specified or defaulted by the ID(ring-owner) keyword.
ID(ring-owner): Specifies the user ID of the key ring owner. (Only a user ID can have a key ring.) If not specified, the key ring owner defaults to the command issuer's user ID.

Examples


Example 1	Operation	User RACFADM wants to remove a SITE certificate with the label `Shared Server` from the `RING01` key ring of server INVSERV.
	Known	User RACFADM has SPECIAL authority.
	Command	`RACDCERT ID(INVSERV) REMOVE(SITE LABEL(’Shared Server’) RING(RING01))`
	Output	None.