IBM Security Z Security

Expand all | Collapse all

zSecure "FORALL" Command in RA.5.1 (Certificates)

  • 1.  zSecure "FORALL" Command in RA.5.1 (Certificates)

    Posted Fri October 09, 2020 09:42 AM
    Greetings,

    I'm trying to see if the "FORALL" zSecure Command can be used to generate RACDCERT DELETE commands based on the results of a query in RA.5.1 (RACF --> RACDCERT --> Certificates) and the "Digital certificate labels" field as it's needed for the commands.

    When trying to use !KEY, this contains the serial number, etc. I believe !KEY_MODIFIERS would be needed to some degree, but I haven't figured out how to incorporate this so that the "digtcert_label" CARLa field is used.

    Is this use-case currently possible, and if so how?

    ------------------------------
    Adam Klinger
    ------------------------------


  • 2.  RE: zSecure "FORALL" Command in RA.5.1 (Certificates)

    Posted Fri October 09, 2020 10:48 AM
    Hi Adam,

    No, this use case is not currently possible.

    FORALL support is limited to exactly what is described in the user reference manual. There is no special support for digital certificates.

    It is interesting that you are thinking of !KEY_MODIFIERS, but I think you should simply submit your real requirement if you want us to consider how to best support this use case.

    Regards,

    --Jeroen

    (In my mind, !KEY_MODIFIERS is there to ensure you target the right profile, when you might have multiple profiles with the same KEY, for example because you are looking at discrete profiles. I could see that there might also be a case for targeting field names (like DIGTCERT_LABEL) in the record in general. And there might be a third way to go about this. :-) )

    ------------------------------
    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite
    IBM
    Delft
    ------------------------------



  • 3.  RE: zSecure "FORALL" Command in RA.5.1 (Certificates)

    Posted Fri October 09, 2020 11:08 AM
    Thanks Jeroen, figured that was the case. I will think about if an RFE is warranted and how to word that.

    For now, some stand-alone CARLa did the trick to build commands based on similar panel-driven criteria.

    ------------------------------
    Adam Klinger
    ------------------------------



  • 4.  RE: zSecure "FORALL" Command in RA.5.1 (Certificates)

    Posted Mon October 12, 2020 03:49 AM

    Hi Adam

    For other RACF entities you could use a block command, typing DD at the first profile and another DD at the last.  This block capability is not available in RA.5.1, it seems.  Can you think about the best solution for your specific  business need and put this in the RFE?



    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 5.  RE: zSecure "FORALL" Command in RA.5.1 (Certificates)

    Posted Tue October 13, 2020 07:59 AM
    Sure Rob, one use-case which came up was mass deleting expired certificates, such as using RA.5.1 to filter on certificates which expired past a certain date, then using the "Forall" command to generate Deletes. Block "DD" support would work just as well for this one really.

    I can see using this technique for mass label renames as well (for example, change "digtcert_label" to "digtcert_label" || "old")

    Not really talking about hundreds of certificates but still would be nice to have

    ------------------------------
    Adam Klinger
    ------------------------------