Purpose
Use
the RACDCERT REMOVE command to remove a digital certificate from a
key ring.
See UTF-8 and BMP character restrictions for information about how UTF-8 and BMP characters in certificate
names and labels are processed by RACDCERT functions.
Issuing options
The following table identifies
the eligible options for issuing the RACDCERT REMOVE command:
As a RACF® TSO command? |
As a RACF operator command? |
With command direction? |
With automatic command direction? |
From the RACF parameter library? |
---|
Yes |
No |
No. (See rules.) |
No. (See rules.) |
No |
Rules: The
following rules apply when issuing this command. - The RACDCERT command cannot be directed to a remote system using
the AT or ONLYAT keyword.
- The updates made to the RACF database
by RACDCERT are eligible for propagation with automatic direction
of application updates based on the RRSFDATA profiles AUTODIRECT.target-node.DIGTCERT.APPL
and AUTODIRECT.target-node.DIGTRING.APPL,
where target-node is the remote node to
which the update is to be propagated.
|
Authorization required
To
issue the RACDCERT REMOVE command, you must have the SPECIAL attribute
or sufficient authority to the IRR.DIGTCERT.REMOVE resource in the
FACILITY class for your intended purpose.
Table 1. Authority
required for the RACDCERT REMOVE functionIRR.DIGTCERT.REMOVE |
---|
Access level |
Purpose |
---|
READ |
Remove a certificate from your own key ring. |
UPDATE |
Remove a SITE or CERTAUTH certificate from your
own key ring. |
CONTROL |
Remove a certificate from another user's key
ring. |
Activating your changes
If the DIGTCERT
or DIGTRING class is RACLISTed, refresh the classes to activate your
changes.
Example:
SETROPTS RACLIST(DIGTCERT, DIGTRING) REFRESH
Related commands
- To connect a certificate to a key ring, see RACDCERT CONNECT.
- To list a key ring, see RACDCERT LISTRING.
Syntax
For the key to
the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the RACDCERT
REMOVE command is:
|
---|
RACDCERT REMOVE([ID(certificate-owner) | SITE | CERTAUTH] |
LABEL('label-name')
RING(ring-name)
) [ ID(ring-owner) ]
|
If you specify more than one RACDCERT function, only
the last specified function is processed. Extraneous keywords that
are not related to the function being performed are ignored.
If you do not specify a RACDCERT function, LIST is
the default function.
For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.
Parameters
- REMOVE(ID(certificate-owner) LABEL('label-name') RING(ring-name))
- REMOVE(SITE LABEL('label-name') RING(ring-name))
- REMOVE(CERTAUTH LABEL('label-name') RING(ring-name))
- Specifies
the digital certificate to be removed from the key ring.
ID(certificate-owner) indicates that
the certificate being removed is a user certificate, and certificate-owner is
the user ID associated with this certificate. SITE indicates that
the certificate being removed is a site certificate, and CERTAUTH
indicates that it is a certificate authority certificate. If ID, SITE
or CERTAUTH are not specified, ID(certificate-owner) defaults to the
key ring owner as specified or defaulted by the ID(ring-owner)
keyword.
- LABEL('label-name')
- Identifies
the certificate that is being removed from the key ring. You must
specify a label.
- RING(ring-name)
- Identifies
the key ring from which this certificate is being removed. You must
specify a ring name. Note: The key ring belongs to the ID specified
or defaulted by the ID(ring-owner) keyword.
- ID(ring-owner)
- Specifies the user ID of the key ring owner. (Only a user ID can
have a key ring.) If not specified, the key ring owner defaults to
the command issuer's user ID.
Examples
|
|
|
---|
Example 1 |
Operation |
User RACFADM wants to remove a SITE certificate
with the label Shared Server from the RING01 key
ring of server INVSERV. |
Known |
User RACFADM has SPECIAL authority. |
Command |
RACDCERT ID(INVSERV) REMOVE(SITE LABEL(’Shared Server’) RING(RING01))
|
Output |
None. |