zPET - IBM Z and z/OS Platform Evaluation and Test - Group home


By Lora Milczewski posted Wed March 25, 2020 12:09 PM


The RACF_CERTIFICATE_EXPIRATION health check, introduced in z/OS V2R1, allows RACF to identify all certificates which have expired and identify all certificates which are going to expire within x number of DAYS. DAYS is a user defined parameter whose default is 60. This health check is run once a day.

An example of the health check display:

                 Certificates Expiring within 60 Days                 


S Cert Owner  Certificate Label               End Date   Trust Rings 

- ------------ ------------------------------ ---------- ----- -----

E CERTAUTH    CA certificate for CICS server  2015-09-29 Yes   2    

E ID(WEBADM)  R13 ECC RPD4 SSL Cert           2015-10-16 Yes   2    

E ID(WTASYS)  DefaultWASCert.WTAWSFP          2015-11-01 Yes   1    

E ID(WT4SAR0) DefaultAdjunctCert.WT4BASE      2015-11-01 Yes   1    

 ID(SETUP)   Client cert for CICS workload    2015-10-03 No    0    

E ID(WTAW1)   DefaultAdjunctCert.WTAWSFP      2015-10-01 Yes   1    

E ID(WT4ACRU) DefaultWASDmgrCert.WT4CELL      2015-12-01 Yes   1    

 ID(SETUP)   Client cert for JA0 CICS         2015-11-27 No    0    


In the example above, we issued the display on 10/02/2015. The ‘E’ in the S column indicates there is an exception for this certificate. For example, the first certificate in the list has an ‘E’ in the S, status column. In this case, the certificate has already expired. There are other certificates listed with exceptions for example, the one with the label Client cert for JA0 CICS, that will expire on 11/27/2015. You’ll notice that some certificates are listed but are not marked as exceptions. This is because these certificates are not trusted.


When this health check was first made available, we had many expired certificates as a result of years of testing. Using the information in this health check we were able to clean up our certificate database on both of our plexes. At this point in time, we revisit the health check every month to monitor the RACF certificates. We let the number of DAYS default to 60 as we think it’s an adequate amount of time for those who own the certificates to take action on them whether it’s to regenerate new ones so there is no disruption of service or perhaps to delete them, if they are no longer in use.


We find this health check very beneficial to our environment as it gives us one place to view RACF certificates which have expired or will expire soon. This allows us to better manage our certificates to prevent disruption of service and to remove those certificates which are no longer in use.