[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: [EXTERNAL] Re: RACF Supplied Certificates
From:       Lennie Dymoke-Bradshaw <00000e14a09f4428-dmarc-request () LISTSERV ! UGA ! EDU>
Date:       2022-05-23 11:16:13
Message-ID: 001601d86e96$83a41cf0$8aec56d0$ () ntlworld ! com
[Download RAW message or body]

These certificates are recreated during RACF initialisation. This is the
same process that will recreate IBMUSER with special and a known password if
you delete it.

Lennie Dymoke-Bradshaw
https://rsclweb.com 
'Dance like no one is watching. Encrypt like everyone is.'

-----Original Message-----
From: RACF Discussion List <RACF-L@LISTSERV.UGA.EDU> On Behalf Of BUCKLEY
Pete
Sent: 23 May 2022 10:46
To: RACF-L@LISTSERV.UGA.EDU
Subject: Re: [EXTERNAL] Re: RACF Supplied Certificates

I can confirm that if you delete this certificate, it reappears after an
IPL.
It really shouldn't be recreated after its expiry date, but we'll see.
I seem to recall IBM announcing a while back that RACF supplied certificates
would be phased out, but I can't recall the details. So if you needed it, as
Charles said, you can usually get these from the vendor.

You shouldn't have a problem with Healthchecker because the certificate is
recreated as NOTRUST.
The Healthchecker notes say:
IRRH277I No exceptions are detected. Expired certificates that are not
trusted or are associated with only a virtual key ring are not exceptions.

Pete Buckley
AXA
-----Original Message-----
From: RACF Discussion List <RACF-L@LISTSERV.UGA.EDU> On Behalf Of Charles
Mills
Sent: 23 May 2022 04:53
To: RACF-L@LISTSERV.UGA.EDU
Subject: [EXTERNAL] Re: RACF Supplied Certificates

I'm not sure how RACF could recreate it but I guess it could have a shadow
copy under the covers.

If you need an unexpired GeoTrust root you can't renew it (because you do
not "own" it and you do not have the private key) but you can probably
download a current one from the GeoTrust Web site.

Charles


-----Original Message-----
From: RACF Discussion List [mailto:RACF-L@LISTSERV.UGA.EDU] On Behalf Of
Rogerio Eugenio Malaquias Camargo
Sent: Sunday, May 22, 2022 5:17 PM
To: RACF-L@LISTSERV.UGA.EDU
Subject: RACF Supplied Certificates

Good Evening!

My SDSF Health Checker (CK) for "RACF_CERTIFICATE_EXPIRATION" shows one of
the supplied digital certificate CERTAUTH / LABEL: "GeoTrust Global CA" is
about to expire (I believe everyone has this certificate too).
As this particular CERTAUTH certificate is not used for signing others in my
RACF, I just deleted it from RACF. However, according to RACF Security
Administrator's Guide, under Chapter 22 (RACF and Digital Certificates) page
579, it says "not delete the supplied certificates. If they do not exist at
IPL time, RACF initialization automatically added them. Therefore, if you
delete them, they are recreated at the next IPL."

I would like my SDSF Health Checker (CK) for "RACF_CERTIFICATE_EXPIRATION"
shows STATUS = SUCCESSFUL to this particular check.
Would I need to renew this particular certificate even if there is no reason
to keep it ?  Otherwise, how could I have STATUS=SUCCESSFUL in my CK, if I
delete the cert and it is recreated automatically at the next IPL ?

Please, any idea is more than welcome.

Thanks,
Roger.

Also, I will submit a request to ibmdoc@us.ibm.com<mailto:ibmdoc@us.ibm.com>
to update (correct) the following text in the RACF Administrator's Guide:

+ PAGE  538:
From: "The RACDCERT command is your primary administrative tool for managing
digital certificates using RACF. Authority to use the RACDCERT command is
controlled through resources in the FACILITY class of the RDATALIB class."
To:      "The RACDCERT command is your primary administrative tool for
managing digital certificates using RACF. Authority to use the RACDCERT
command is controlled through resources in the FACILITY class or the
RDATALIB class"

+ PAGE 580:
From:       2. Modify each certificate to add the TRUST attribute.
Example: RACDCERT CERTAUTH ALTER(LABEL('GeoTrust Global CA')) NOTRUST

To:            2. Modify each certificate to add the TRUST attribute.
Example: RACDCERT CERTAUTH ALTER(LABEL('GeoTrust Global CA')) TRUST

Internal

This email originates from AXA Group Operations UK Ltd (reg. no. 1854856), a
company registered in England and Wales, which has its registered office at
5 Old Broad Street, London EC2N 1AD, England. 
 
This message and any files transmitted with it are confidential and intended
solely for the individual or entity to whom they are addressed. If you have
received this in error, you should not disseminate or copy this email.
Please notify the sender immediately and delete this email from your system.

 
Please also note that any opinions presented in this email are solely those
of the author and do not necessarily represent those of the AXA Group. 
 
Email transmission cannot be guaranteed to be secure, or error free as
information could be intercepted, corrupted, lost, destroyed, late in
arriving or incomplete as a result of the transmission process. The sender
therefore does not accept liability for any errors or omissions in the
contents of this message which arise as a result of email transmission. 
 
Finally, the recipient should check this email and any attachments for
viruses. The AXA Group accepts no liability for any damage caused by any
virus transmitted by this email.
[prev in list] [next in list] [prev in thread] [next in thread]