'Re: irrcerta - has been deleted'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: irrcerta - has been deleted
From:       Nigel Pentland <nigel () NIGELPENTLAND ! NET>
Date:       2015-07-20 20:55:15
Message-ID: 55AD6033.5070904 () nigelpentland ! net
[Download RAW message or body]

Hi Dave,

I'd have to say some of the comments on this thread I found quite
scary.  I say that from the perspective of if I thought for a minute
that irrcerta had been deleted, I would be seriously worried.  I say
that because I use it for several internal Certificate Authorities from
which we issue certificates from RACF for use on other systems.

The important point in all of this to me is, when you delete UserID, and
I assume the same applies equally to irrcerta although admittedly I
haven't tried it, RACF automatically and without any opportunity to
change your mind deletes ALL certificates owned by the UserID being
deleted!  If deleting the wrong certificate isn't scary enough, deleting
ALL CA certificates certainly is in my environment!

If I want to check that irrcerta is still there, I normally just look in
IRRDBU00.  If I had to confirm it was still on an active system, I'd
probably just list any CERTAUTH certificate.

Nigel...

On 20/07/2015 16:21, David Constable wrote:
> Interestingly enough, we discovered this issue when a user could not see the Label \
> details for CA Certs in zSecure. As part of the investigation, we discovered that \
> irrcerta didn't appear in a list of users in zSecure when using the Primary or \
> Back-up Databases as input, but appeared in the unload taken earlier in the day. 
> We too thought it unlikely to have been deleted, but as this type of user isn't \
> subject to normal RACF commands, we couldn't list it using LU, so we couldn' verify \
> that it existed in that way. We ran a DSMON but this also failed to show any of \
> this type of user. It was only by chance that someone tried the search command. \
> This seems to be the only way to find these types of ID's without a third party \
> product.  
> As a learning exercise, could the ID be deleted using Block Update, and if so what \
> would be the impact?  Currently the ID owns a the profiles for CA ROOT certifcates \
> in the DIGTCERT class and I wouldn't expect this to cause any problems. To resolve \
> this, I would either look to restore from a previous backup of the RACF Database, \
> or just IPL so that it was re-added. 
> Thanks
> 
> Dave Constable

-- 
http://kimtag.com/nigelpentland 


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic