IBM Security Z Security

 View Only
Expand all | Collapse all

Listing Certificate Alternate Domain names

  • 1.  Listing Certificate Alternate Domain names

    Posted Tue April 19, 2022 05:22 PM

    Hello,

     

    Using zSecure batch to list the digital certificates Certificate AltName domain names and the resulting report truncates the names after 40 characters. Is there a way to print out the- full Certificate AltName domain names?

     

    sortlist class(tt,page) complex(nd,page,13),        

      "complex"(tt,page) complex(tt,page,13)  stamp(tt),

      ,                                                 

      / digtcert_label(header,0,wrap),                  

      / :appldata(8,header,"Owner"),                    

        :certificate_trusted(d,header,"Trusted"),        

        complex(d,13,header),                           

      / certificate_subject(header,0,wrap),             

      / certificate_issuer_full(header,0,wrap),         

      / certificate_serial(header,0,wrap),              

    / / "CERTDATA segment"(cp(5)),                       

      / "----------------",                             

      / certstrt(p),                                    

      / certend(p),                                     

      / certprvt(p),                                    

      / effective_certprvs(p),                          

      / certgreq(p,yesno),                              

      / certlser(p),                                    

    / / "subjectAltName extension"(cp(5)),              

      / "----------------",                             

      / certificate_alt_email(p),                       

      / certificate_alt_domain(p),                      

      / certificate_alt_ip(p),                          

      / certificate_alt_uri(p),                         

    / / "signing information"(cp(5)),                   

      / "-----------------------",                      

      / certificate_signing_alg(p),                     

    / / "keyUsage extension"(cp(5)),                     

      / "----------------",                             

      / certificate_keyusage(0,p,hor,wrap,keyusage_racf,

        explode,"RACF format"),                         

      / certificate_keyusage(0,p,hor,wrap,keyusage_x509,

        explode,"X509 format"),                         

      / ringname(header),                               

    / / "Key data set label information"(d,ch),         

      / "------------------------------"(d,ch),         

      / label_in_pkds(p,d),                             

      / label_in_tkds(p,d)                              

     

    Richard A. De Laat

     

    zSeries Security Strategy

     

    Info Security | 1525 West W.T. Harris Blvd., 4th Floor | Charlotte, NC 28288

    MAC: D1114-049

     

    Mailto:richard.a.delaat@wellfargo.com

     



  • 2.  RE: Listing Certificate Alternate Domain names

    Posted Wed April 20, 2022 02:31 AM

    Hi Richard,

    CARLa fields have a default output length that is used when no overriding specification is provided. For CERTIFICATE_ALT_DOMAIN that is indeed 40.

    If you want a different column width, you can specify the number as an override in brackets behind the field name. You can see examples in this query where for example COMPLEX is printed in a column of width 13 while the default is 8 [in this case, as part of the TT or TOPTITLE].

    If you want the output "with whatever length it actually has" you can specify the width as 0. Note that this can result in a "ragged column" when the actual lengths in the various records are different, so there are limitations when you use this in any position other than the last one on an output line.

    When "just" specifying the width as 0, it is possible for data to fall off at the end of the line when the line length is exceeded. If you still want to ensure that you see all the data, you can add the modifier WRAP to specify that the output should also be wrapped to the next line. In this case, the rest of the output will start in the same column position on the next line(s). You see that this specification has also been used in this query for some other fields.

    In this case, the field CERTIFICATE_ALT_DOMAIN is on a line by itself, so it should be fine to change it to:
    / certificate_alt_domain(p,0,wrap),

    Note that the P (short for PREFIX) modifier specifies that the field's "prefix header" (in this case "Certificate AltName domain") is printed before the output value. When the line is wrapped, the prefix header is repeated on each line, while the value occurs wrapped behind it as explained above. The prefix header takes up 29 characters [and is followed by a blank]. (This value is fixed so that a list of such fields has their values start in the same column.)

    I hope this helps,

    --Jeroen

    P.S. To see the default properties for the fields, you can use the FIELDS primary command in the ISPF UI, and then first go to BUILTIN, then to the newlist type (in this case RACF), and scroll down to the field (or, say, FIND AltName). That would show you the the prefix header (as "Description") and the 40 ("Len"), among other things.



    ------------------------------
    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite
    IBM
    Delft
    ------------------------------

    Original Message