Other CA ACF2 Utilities
This section describes the following CA ACF2 Utilities:
ACFDEL-TSO Data Disposal Command
The ACFDEL command removes all data from allocated, non-VSAM, direct-access data sets, or from an entire volume.
ACFERASE-The Data Disposal Utility
The ACFERASE utility erases an entire tape volume or removes all data from an allocated, non-VSAM, direct access (DASD) data set. This utility provides an important function because the data from a deleted data set still occupies storage unless overwritten. This could accidentally provide users access to the sensitive data that was previously stored there.
- For VSAM data sets, use the Access Method Services utility (IDCAMS) to provide this function when the VSAM data set is defined.
- For DASD data sets, ACFERASE erases each track allocated to the data set. ACFERASE processes the entire data space, regardless of logical end-of-data-set indicators.
- For tape data sets, the ACFERASE utility uses the data security erase command to erase the entire volume from the load point (ACFERASE specifically rewinds the tape to the load point). Use of the data security erase operation does not inhibit the control unit from processing requests for other tape drives while it is in progress. For 2400 series tape drives that do not support DSE (data set extension), ACFERASE writes tape marks across the entire tape volume.
Selects all DD statements with the first two characters of DD. Any number of DD statements can be coded; all will be processed.
Specifies input parameter information for all of the ACFERASE parameters. ACFERASE can accept parameter input from either the SYSIN file or the JCL PARM field. If the SYSIN file is not defined and ACFERASE requires parameter specifications through the SYSIN file, an error is generated.
The SYSIN input file must have a record format of F, FB, or VB.
- For fixed format records, the last eight columns are assumed to contain sequence numbers and are ignored.
- For variable format records, the first eight characters are assumed to be the sequence field and are ignored.
The dash (-) can be specified as the last nonblank character of an input record to indicate that the next input record is to be considered a continuation of the current record. The concatenation process proceeds such that the first character of the next record takes the position of the dash and all subsequent characters follow thereafter; blanks after the dash on the record to be continued are ignored.
If ACFERASE is executed on an online system (such as TSO at z/OS sites by the CALL command), one of the following processing modes can be invoked:
- ACFERASE requires SYSIN input-Input is obtained from either the data set to which the SYSIN file is allocated or, if the SYSIN file is not allocated, from the usage terminal.
- SYSIN file is an optional extension of JCL PARM field-Input is accepted only if the last nonblank character of the CALL program parameter operand is a dash:
- Code the CALL parameter operand in quotes.
- If no dash is coded, any SYSIN allocation is ignored.
- If the dash is coded, input is taken from the data set where the SYSIN file is allocated, or from the terminal.
- The dash specified in the PARM field is not used to indicate continuation of the input parm field, only to flag the usage of the SYSIN file.
Any messages from ACFERASE appear in the user's JOBLOG.
ACFERASE returns the following condition codes:
All processing was successful.
Not all requested functions could be performed. For example, a data set on tape could not be scratched.
An error in user-specified parameters prevented ACFERASE from performing the function.
An internal error occurred and processing cannot continue.
A permanent I/O error on the file being erased occurred or ACFERASE was improperly link edited during installation.
ACFSUB-TSO Production Job Submitter
ACFSUB is a TSO command issued from TSO READY mode. This utility can submit controlled production-type and other special job streams under a logonid other than the TSO operator's logonid. ACFSUB verifies that the TSO operator submitting the job has the authority to submit job streams through ACFSUB out of the referenced JCL library. In addition, this utility dynamically creates the logonid that the new job runs under. The default version of ACFSUB provided with CA ACF2 creates a logonid based on the first JOB statement accounting field parameter. You can modify this utility locally to assign or build the logonid with any other formula desired.
The source for ACFSUB resides in the ACFSCMD member of CAI.CAIMAC. The module should be assembled with CAI.CAIMAC in the SYSLIB concatenation.
ACFSUB is similar to the CA ACF2 JOBCOPY utility for batch production job submissions.
IDMAP Cleanup Utility (ACFIDMAP)
The ACFIDMAP utility supports IDMAP users implementing distinguished names. The ACFIDMAP utility identifies invalid distinguished name values that are no longer valid. This utility provides an efficient method of identifying invalid IDMAPDN values in IDMAP records.
Implement ACFIDMAP by submitting batch JCL and using ISPF panels.
To execute ACFIDMAP in batch, use the following JCL:
//ACFIDMP JOB 1,'IDMAP TEST' //ACFIDMAP EXEC PGM=ACF56IDM //SYSPRINT DD SYSOUT=* /*
JOBCOPY Utility-Batch Production Job Submission
You can run the JOBCOPY utility as a batch program or started task. This utility enables submission of production and other special types of job streams that must run under a logonid other than that of the TSO operator. This utility verifies that the user submitting the job stream has the authority to submit job streams through JOBCOPY from the referenced JCL library.
JOBCOPY also creates a logonid under which the job can run. Under the default version of JOBCOPY supplied with CA ACF2, this logonid is based on the account number parameter of the first JOB statement encountered. You can modify this default locally to build the logonid by whatever method desired.
The source for JOBCOPY resides in CAI.CAIMAC and should be assembled with the CAI.CAIMAC library in the SYSLIB concatenation.
Prerequisites for Using JOBCOPY
Before using JOBCOPY, your site must define any libraries containing job streams that are submitted through JOBCOPY. For instructions on defining these libraries, see the description in the comments of the JOBCOPY program.
The JOBCOPY utility uses the following files:
Contains the production job stream processed by JOBCOPY.
Contains the processed job stream that is submitted through JOBCOPY to the internal reader. Therefore, assign this file to the internal reader.
The LDS recovery report (LDSRPT), lists all LDS requests stored in the LDS Recovery File. LDS recovery retrieves records containing information pertaining to administrative commands that INSERT, CHANGE, and DELETE logonid fields as well as password changes that are eligible for LDS processing. There are no REPORT parameters for this program.
A person with SECURITY or AUDIT privileges must be unscoped to run the LDSRPT report. Unscoped indicates the SCPLIST field in the logonid record is set to null.
Sample INITLDSR Job
The LDS recovery file is defined in the LDS OPTIONS record in the LDSRCVR field. Also, the LDS OPTIONS RECOVERY option must be set on the LDS OPTIONS record to enable LDS recovery processing. The recovery file must be created and initialized prior to starting LDS. Use the supplied INITLDSR job in the CAX1JCL0 library to create the LDS recovery file.
The following example creates a recovery file called ‘CALDAP.LDSRCVR’ containing 12,000 lines:
//INITLDSR EXEC PGM=CAS4LIRF //STEPLIB DD DSN=CAI.CAX1LINK,DISP=SHR //SYSPRINT DD SYSOUT=* //LDSRCVR DD DSN=CALDAP.LDSRCVR, // SPACE=(6000,(12000)),UNIT=SYSDA, // DISP=(,CATLG,DELETE),VOL=SER=VOLSER //DCB=BLKSIZE=6000 //SYSIN DD * BLOCKS=12000 /* //
Sample Report Output
The report title displays the date and time the report was generated. The report summary displays the total number of LDS recovery records on the LDS Recovery File. The following is a sample of the LDSRPT report output:
04.182) TIME 12.33 - <acf> Security LDS Recovery Report - PAGE 1 Date Time LDAP Node ID User LDS Recovery Data 2004121 153451 LDAP.LISLE2 LDSETA2 INS LID(LDSETA2 ) OBJECTCLASS(ACF2LID), ADD Name(1534 ), ADD objectclass(AC 2004121 153451 LDAP.LISLE2 LDSETA2 F2LID) 2004121 154026 LDAP.LISLE2 LDSETA2 DEL LID(LDSETA2 ) OBJECTCLASS(ACF2LID) 2004121 160905 LDAP.LISLE2 LDSETA1 MOD LID(LDSETA1 ) OBJECTCLASS(ACF2LID), REP Name(1608 ) 2004121 162455 LDAP.LISLE2 LDSETA3 MOD LID(LDSETA3 ) OBJECTCLASS(ACF2LID), REP Name(1624 ) 2004121 162936 LDAP.LISLE2 LDSETA2 INS LID(LDSETA2 ) OBJECTCLASS(ACF2LID), ADD Name(THIRD ), ADD objectclass(AC 2004121 162936 LDAP.LISLE2 LDSETA2 F2LID) DATE 06/30/04 (04.182) TIME 12.33 - <acf> Security LDS Recovery Report - PAGE 2 - Total number of LDS records processed is 05
SAFTAXRF-SMP/E CSI Zone Compare Utility
The SAFTAXRF utility is used to minimize the possibility of regressing any SYSMODs when upgrading to a new release of CA ACF2.
SAFTAXRF helps determine which SYSMODs are applied for a specified FMID in the current release of CA ACF2 that have not been superceded in the new r8.
The format and method of the product installation and maintenance has not changed.
The input to the SAFTAXRF utility consists of:
- An SMP LIST SYSMODS XREF for the currently installed release of CA ACF2.
- An SMP LIST SYSMODS XREF for the newly installed release of CA ACF2.
The SAFTAXRF utility creates a report consisting of a list of SYSMOD entries that have been applied to your current release of CA ACF2 and are not found in the new release.
For all SYSMOD entries that are listed in the report as:
'Active smtype sysmod (FMID=fmid) is NOT FOUND in the NEW Target Zone' or 'Superseded sysmod (FMID=fmid) is NOT FOUND in the NEW Target Zone'
Please contact Broadcom Support for the equivalent SYSMOD, if applicable, for the new release.
The JCL and procedure required to execute the SAFTAXRF utility is distributed in the CAIJCL library as members SAFTAXJC and SAFTAXRF.
Messages generated by SMP/E during the execution of the LIST SYSMODS XREF command. Refer to this output if error messages are issued in the report.
Report output. If an error occurred during report processing, this dataset will contain error messages.
Sample Report Output
CA SMP/E ZONE Compare Utility Selected FMIDs ----------------- ++OLDZONE FMID=CX16400 ACF2 6.4 BASE ++OLDZONE FMID=CX16409 ACF2 6.4 JES3 INTERFACE ++OLDZONE FMID=CX16410 ACF2 6.4 JES2 INTERFACE ++OLDZONE FMID=CX16478 ACF2 6.4 IMS 6.1 INTERFACE ++OLDZONE FMID=CX16488 ACF2 6.4 IMS 7.1 INTERFACE ++OLDZONE FMID=CX16473 ACF2 6.4 DL/I 6.1 INTERFACE ++OLDZONE FMID=CX16483 ACF2 6.4 DL/I 7.1 INTERFACE ++OLDZONE FMID=ACF6452 ACF2 6.4 CICS INTERFACE ++OLDZONE FMID=CX81400 ACF2 6.4 SAF ++OLDZONE FMID=CX81410 ACF2 6.4 SAF ++NEWZONE FMID=CX16500 ACF2 6.5 BASE ++NEWZONE FMID=CX16509 ACF2 6.5 JES3 INTERFACE ++NEWZONE FMID=CX16510 ACF2 6.5 JES2 INTERFACE ++NEWZONE FMID=CX16578 ACF2 6.5 IMS 6.1 INTERFACE ++NEWZONE FMID=CX16588 ACF2 6.5 IMS 7.1 INTERFACE ++NEWZONE FMID=CX16573 ACF2 6.5 DL/I 6.1 INTERFACE ++NEWZONE FMID=CX16583 ACF2 6.5 DL/I 7.1 INTERFACE ++NEWZONE FMID=CX16552 ACF2 6.5 CICS INTERFACE ++NEWZONE FMID=CX81500 ACF2 6.5 SAF ++NEWZONE FMID=CX81510 ACF2 6.5 SAF Selected FMIDs ----------------- OLD TZone=CAITGT from Global CSI=CAI.ACF264.CSI NEW TZone=CAITGT from Global CSI=CAI.ACF265.CSI List of SYMOD Identifiers -------------------------- Superseded TA1234F (FMID=CX16400) is NOT FOUND in the NEW Target Zone. Superseded TA234SF (FMID=CX81400) is NOT FOUND in the NEW Target Zone. Active APAR QO34567 (FMID=CX16400) is NOT FOUND in the NEW Target Zone. Active APAR QO45678 (FMID=CX81400) is NOT FOUND in the NEW Target Zone. CA SMP/E ZONE COMPARE SUMMARY ------------------------------------ 2 Active sysmod entries are displayed. 2 SUPed sysmod entries are displayed. 632 sysmod entries were FOUND in both zones.
Before a user can submit SAFTAXJC for execution, the site must make the following JCL changes:
DSN that contains the JCL procedure for SAFTAXRF.
DSN that contains the load module SAFTAXRF. SAFTAXRF was linked into CAI.CAILOAD during installation of your new product release.
DSN of the SMP/E global CSI that contains the TLIB zone for the current (old) release of the product.
SAFCRRPT Certificate Utility
The SAFCRRPT utility displays the certificate hierarchy in your database. Optionally, it shows each certificate, its signing certificate, and the certificates that it has signed. You may also display all of the information provided on a CHKCERT command and LIST command. The display can be tailored so that only certificates from a particular user or key ring will be displayed. You can decide to show only certificates that are not expired, have a key in ICSF, and are currently trusted. You can also display only those certificates that will expire within 1-365 day range. If you are having a problem setting up SSL for an application, run the utility against the key ring. It may help point to problems in the set up.
Execution of SAFCRRPT requires a region size of 1500K.
UPDATE access to IRR.DIGTCERT.LIST in the FACILITY class is required when running the report when the certificates are not obtained from a key ring.
When obtaining certificates from a key ring, as required with the RINGNAME parameter, the utility uses the R_datalib callable service. R_datalib requires READ access to the IRR.DIGTCERT.LISTRING resource in the FACILITY class when the key ring is owned by the caller of the utility. If the reserved values "CERTAUTH", "irrcerta", "*AUTH*" (CA ACF2 Version 15 only), "SITECERT", "irrsitec", or "*SITE*" (CA ACF2 Version 15 only) are specified in the USER parameter, READ access is also required to the IRR.DIGTCERT.LISTRING resource. If the keyring is not owned by the caller of the utility, UPDATE access is required to the IRR.DIGTCERT.LISTRING resource.
The following is sample JCL to run the certificate utility:
//SAFRPTCR EXEC PGM=SAFCRRPT,PARM='TITLE(CERTIFICATE UTILITY REPORT)' //STEPLIB DD DISP=SHR,DSN=CAI.CAILOAD //SYSUDUMP DD SYSOUT=* //SYSPRINT DD SYSOUT=* //SYSIN DD * Recordid(CERT-) detail EXT
The input parameters can be specified in the PARM field or SYSIN data set. When parameters conflict, the last parameter entered will be used (for example, USER and RECORDID).
- USER (userid|userid mask)All certificates for the specified users will be displayed. If not specified, USER will default to the caller’s userid. When specified with the RINGNAME parameter, the user field can not be masked.
- DETAILThis option adds label, serial number, subject’s distinguished name, issuer’s distinguished name, validity dates, public key, PKDS label (if one exists), private key size and type to the output display. Detail is mutually exclusive with Summary.
- SUMMARYSummary displays only the record id of the displayed record, the record id of the signing certificate and the record ids of the certificates that this certificate signed. Summary is mutually exclusive with Detail. When neither is specified, Summary is the default.
- DUMPDump adds a hexadecimal dump of the certificate to the display. Dump is ignored if DETAIL is not specified.
- EXTEXT adds a list of the extensions that are in the certificate to the display. EXT is ignored if DETAIL is not specified. If the utility cannot identify the name of the extension in the certificate, the OID of the extension will be displayed. The extension values are also displayed. If the format of the extension is identified, a meaningful description of the settings within the extension will display. If the format of the extension is not identified, a hexadecimal dump of the extension contents along with a character representation will be displayed.
- RINGNAME(ring name)Ringname tells the utility to display certificates from a specific keyring. Ringname is used in conjunction with the USER parameter. USER specifies whose keyring is to be accessed and Ringname specifies which keyring. This is either the ringname from the keyring record or "*" for virtual keyrings. When Ringname is specified, the USER parameter cannot be masked.The utility will use the R_datalib callable service to retrieve the trusted certificates from the keyring. This callable service is used by most applications that access certificate for an SSL session. The output from using this parameter can be useful in determining if the proper certificates have been connected to the correct keyring.
- RECORDID(record id|record id mask)Specifies the record id of the certificates to be displayed. RECORDID cannot be used with the RINGNAME parameter.
- TRUST|NOTRUSTTRUST or NOTRUST can be specified to display only the certificates that have the either TRUST or NOTRUST status.
- ICSFICSF tailors the display to show only the certificates that have the public or private key saved in ICSF.
- PCICCPCICC tailors the display to show only the certificates that have the public or private key saved in ICSF using the PCICC keyword.
- EDAYS(expire days)EDAYS allows you to display only those certificates that expire within the specified number of days. Acceptable values range from 1 to 365. This field is not maskable.
- EXPIREDEXPIRED allows you to display only those certificates that have already expired.
- RSARSA allows you to indicate that the certificate display will contain only those certificates that use the RSA algorithm to create the public-private key pair.
- DSADSA allows you to indicate that the certificate display will contain only those certificates that use the DSA algorithm to create the public-private key pair.
- FIELDS(data1,...,dataN)Allows the user to limit the information returned by the report. The user may specify any of the following sub-parameters in the FIELD list:
Display Active Date
Display the length of the certificate
Display Expire Date
Display certificate label
Display Issuer DN
Display key size
Display PKDS label
Display public key
Display serial #
Display the signature algorithm used to create the signature
Display the certificates this certificate has signed
Display Subject DN
Display an indication that the certificate is trusted or not
If the FIELDS parameter is specified and no sub-parameters are listed an error message will be displayed. If SUMMARY is specified after the FIELDS parameter, the FIELDS parameter will be ignored. If SUMMARY is specified before the FIELDS parameter, the SUMMARY parameter will be ignored. If more than one FIELDS parameter is specified, only the last FIELDS parameter will be acknowledged.
The FIELDS parameter can be specified on the PARM= of the EXEC within the JCL as well as via the SYSIN parameter. Since this parameter can extend to multiple lines because it follows the structure of a list there are a few syntax rules to follow.
For example, if the FIELDS parameter is specified on the PARM= of the EXEC, without any other parameters, the following syntax should be used, with each element of the list separated by a comma:
//SAFRPTCR EXEC PGM=SAFCRRPT, // PARM=(FIELDS(LABEL,SERIAL,ISSUER,SUBJECT,ACTIVE,EXPIRE, // KEYSIZE,PUBLIC,PKDS,SIGNOF))
If the FIELDS parameter is specified on the PARM= of the EXEC with other parameters as well, the other parameters should be enclosed in single quotes, such as ‘RECORDID(-)’, as illustrated by the following:
//SAFRPTCR EXEC PGM=SAFCRRPT, // PARM=('RECORDID(-)', // FIELDS(ACTIVE,EXPIRE,KEYSIZE,PUBLIC,PKDS,SIGNOF,LABEL, // SERIAL,ISSUER,SUBJECT))
If the FIELDS parameter is specified within the SYSIN of the JCL the following syntax should be used in the case that the parameter extends to several lines, with each element of the list separated by a single space:
//SYSIN DD * FIELDS(ISSUER SUBJECT ACTIVE EXPIRE KEYSIZE PUBLIC PKDS SIGNOF LABEL SERIAL) RECORDID(-) /*
The SAFCRRPT report accepts the following parameters.
Sample Report Output - Summary
Mainframe Security - SAFCRRPT - Certificate Utility - PAGE 3 DATE 03/14/06 (06.073) TIME 10.18 Record id - CERTAUTH.AUTO014 Signed by: None - Self-Signed Signer of - CERTAUTH.AUTO013 Record id - CERTAUTH.BOB Signed by: None - Self-Signed Record id - CERTAUTH.CLIFFTA Signed by: None - Self-Signed Record id - CERTAUTH.DSACA Signed by: None - Self-Signed Signer of - BOB.DSA2048 CARLA01.DSA2048 CARLA01.DSA512 CARLA01.DSA768 CARLA01.RSA512 CARLA01.RSA768 DSATEST.DSA1024 DSATEST.DSA2048 DSATEST.DSA512 KERMIT.DSA KERMIT.RSA Record id - CERTAUTH.EDDIEABC Signed by: None - Self-Signed Record id - CERTAUTH.HAWKS01 Signed by: None - Self-Signed Record id - CERTAUTH.HAWKS02 Signed by: None - Self-Signed Record id - CERTAUTH.HAWKS03 Signed by: None - No Record Found Record id - CERTAUTH.HEROS Signed by: None - No Record Found Record id - CERTAUTH.ICSFCA Signed by: None - Self-Signed Signer of - CARLA01.ICSFCA IMWEBSRV.ICSFSSL IMWEBSRV.SSLICSF STANLEY.ICSFCA Record id - CERTAUTH.ICSF01 Signed by: None - Self-Signed Record id - CERTAUTH.LOCALCA Signed by: None - Self-Signed Signer of - CARLA01.T2048 GENC002A.AUTO001 GENC002A.AUTO002 GENC002A.AUTO003 GENC002A.AUTO004 IMWEBSRV.SERVER TIMOTHY.DEE WEBSRV Record id - CERTAUTH.MAJORLG Signed by: None - Self-Signed Signer of - CERTAUTH.AL CERTAUTH.NL
Sample Report Output - Details
Mainframe Security - SAFCRRPT - Certificate Utility - PAGE 11 DATE 03/14/06 (06.073) TIME 10.18 Record id - CERTAUTH.AL Signed by: CERTAUTH.MAJORLG Label American League CA Serial # - 05 Issuer DN - CN=Major League Baseball Certificate Authority.O U=Used for testing PKCS 12 CA certificate insert processing.O=MLB Commissioners Office.C=US Subject DN - CN=American League Certificate Authority.O=Major League Baseball.C=US Active Date 2004/11/30 Expire Date 2015/12/20 Pvt Key Size 1024 RSA Algorithm sha-1WithRSAEncryption Public Key 0000 30819F30 0D06092A 864886F7 0D010101 0010 05000381 8D003081 89028181 00D7F4B8 0020 BCA5B3B0 D33F5575 C7EF5F48 9ABC4C77 0030 5F46257B 13C3A9A7 B497F422 EFDD8B44 0040 9F756234 76D70DFC 2A6B3FE6 40532234 0050 0147CC94 4DB0ABD4 732729B4 9E8FBD44 0060 F7DAFB00 33ED254D EB0A6334 8FD0ECEB 0070 4374317C D4CBB1AE B7C6FD08 0412785B 0080 0A751C69 3BF4DC66 C2CBA8F1 093BAE10 0090 3604CC15 66CF8A5D 2EF9038A 03020301 00A0 0001 Signer of - CERTAUTH.ACENTRAL CERTAUTH.ALWEST Record id - CERTAUTH.LOCALCA Signed by: None - Self-Signed Label Local CA Serial # - 0000000000 Issuer DN - CN=<acf> Certificate Authority.OU=CA-AC F2 Development.OU=OS390 Development.O=Computer Associates Subject DN - CN=<acf> Certificate Authority.OU=CA-AC F2 Development.OU=OS390 Development.O=Computer Associates Active Date 2001/09/05 Expire Date 2002/09/05 Pvt Key Size 512 RSA Algorithm sha-1WithRSAEncryption Public Key 0000 305C300D 06092A86 4886F70D 01010105 0010 00034B00 30480241 00E3E055 322F34F9 0020 18099F1C 05D0EB3E 4011AD5B 8BE8CCC2 0030 54E83564 5DB02E6F 682D9A23 49C62077 0040 0ACFABAF C9847E4D 3646062B 4B1C249D 0050 44072EC6 577F98D4 AE020301 0001 Signer of - CARLA01.T2048 GENC002A.AUTO001 GENC002A.AUTO002 GENC002A.AUTO003 GENC002A.AUTO004 IMWEBSRV.SERVER TIMOTHY.DEE WEBSRV
Sample Report Output - Total Page
Mainframe Security - SAFCRRPT - Certificate Utility - PAGE 15 DATE 03/14/06 (06.073) TIME 10.18 Total Certificates 33 CA Certificates 12 Site Certificates 00 User Certificates 21 Expired Certificates 11 Inactive Certificates 00 ICSF Certificates 06 Self-signed certificates 13 RSA certificates 23 DSA certificates 10 Trusted Certificates 05 High Trust Certificates 00 ECC Certificates 00