this is an interesting problem to solve - from a security database standpoint, we are seeing 3 first class citizens - identities, permissions, and now certificates to "remove" so we can reduce the risk posture.
since the publishing of this thread, has anyone found a viable solution? I'd like to discus some possibilities here from a market approach - this seems like a prime opportunity to deliver value to address this pain point and need. looking a SMF records can become unwieldy very quickly.
i'm happy to connect with anyone that is interested in solving this problem (feel free to connect with me)
------------------------------
Milan Patel
------------------------------
Original Message:
Sent: Tue September 03, 2024 05:05 AM
From: Mikael Rasmussen
Subject: CArla code to check usage of certificates
Thank you, Peter.
Looks like an interesting angle that I will try to look into.
------------------------------
Mikael Rasmussen
Senior Mainframe Security Engineer
Danske Bank
Brabrand
+4540766221
Original Message:
Sent: Tue September 03, 2024 04:43 AM
From: Peter Weigold
Subject: CArla code to check usage of certificates
Hello,
the only (host based) way I have found so far is by looking in the SMP 119 zERT records. There is a DN Section which contains the DN of all certificates being used. If it is not clear from this which certificate is used the only option is to start collecting ZERTDETAIL (SMF 119 Sun-Type 11) Records. In the TLS Section in these records the certificate serial number should be available.
------------------------------
Peter Weigold
Original Message:
Sent: Sun September 01, 2024 09:55 AM
From: Mikael Rasmussen
Subject: CArla code to check usage of certificates
I believe the question is of relevance for a lot of us.
From time to time, I do get a similar question from different system programmers. And I would indeed appreciate if the possibility to determine whether a given certificate is in fact in use, but so far I can only give vague indications.
The use of IRR.DIGTCERT.LISTRING and IRR.DIGTCERT.LIST in the FACILITY class may be of interest. If the RDATALIB class is active, you may be able to determine whether a given keyring is in use, but the use of a specific certificate seems to be concealed for ordinary mortals. Perhaps the use of keys in CSFKEYS may be of interest if the certificates has a key in PKDS? Or the SMF 119 records used by zERT could possibly help clarify.
If anyone can shed light on the subject, I am all ears...
Mikael Rasmussen
Danske Bank
------------------------------
Mikael Rasmussen
Senior Mainframe Security Engineer
Danske Bank
Brabrand
+4540766221
Original Message:
Sent: Tue August 27, 2024 12:42 PM
From: Lynn Gilson
Subject: CArla code to check usage of certificates
Hello Marc,
I have the same need. Did you ever arrive at a solution for the zCarla code for this?
Lynn Gilson
------------------------------
Lynn Gilson
Lynn
Original Message:
Sent: Thu July 07, 2022 07:39 AM
From: Marc Massart
Subject: CArla code to check usage of certificates
Hi,
I'm trying some Carla code to get a report of RACF certificate usage (Access monitor or SMF) But I seem to get nowhere.
I'm trying to report on the usage of DIGTCERT and DIGTRING to see if a certificate is still used. We are in the process of decommissioning some applications and to be sure if the certificates can be delete, I need some reporting.
I tried SMF:
OPTION EMPTYLIST=HIDE REQUIRED
Suppress CKFREEZE
N TYPE=SMF N=SMFSEL
S,
CLASS=FACILITY PROFILE=IRR.DIGTCERT.LIST
SORTLIST,
CERTIFICATE_ISSUER,
CERTIFICATE_LABEL,
CERTIFICATE_SERIAL,
CERTIFICATE_SUBJECT
Or
OPTION EMPTYLIST=HIDE REQUIRED
Suppress CKFREEZE
N TYPE=SMF N=SMFSEL
S,
CLASS=FACILITY PROFILE=IRR.DIGTCERT.LISTRING
SORTLIST,
CERTIFICATE_ISSUER,
CERTIFICATE_LABEL,
CERTIFICATE_SERIAL,
CERTIFICATE_SUBJECT
I tried Access monitor:
newlist type=access nodetailinherit required
select ,class=DIGTCERT resource=**
sortlist class,
resource , access_count last_tod,
jobname userid access_proftype ,
access_profile ,
intent ,
access_allowed,
access_result
or instead of DIGTCERT I used DIGTRING but still getting nowhere.
Or I get errors, or I get an empty report.
Any ideas?
Regards,
Marc Massart
| | | | | Marc MASSART | | Mainframe Security & Risks - Consultant Mainframe Services - IT Mainframe Services | | BNP Paribas Fortis NV - Warandeberg 3, 1CP2A, 1000 Brussel | | | |
======================================================
BNP Paribas Fortis disclaimer:
http://www.bnpparibasfortis.com/e-mail-disclaimer.html
BNP Paribas Fortis privacy policy:
http://www.bnpparibasfortis.com/privacy-policy.html
======================================================