We have had some KEYRINGS and CERTIFICATES mysteriously disappear, it there a report along with sample JCL that can be run to identify the last time a KEYRING or certificate was updated, and by whom?

Document ID : KB000025719
Last Modified Date : 14/02/2018
Show Technical Document Details

Problem:

We have had some KEYRINGS and CERTIFICATES mysteriously disappear, it there a report along with sample JCL that can be run to identify the last time a KEYRING or certificate was updated, and by whom?

 

Description:

The ACFRPTEL report generator processes the SMF records issued for ACF2 recovery purposes and lists each change to the Infostorage database. These changes include updates to entry records, resource rule sets, GSO records, CERTDATA(certificate records) and ACF2 for DB2 rule sets and records, and other types of infostorage record as well as the logonid that made the changes.

The ACFRPTEL report parameters can be specified using one of these methods:

The PARM parameter of the EXEC statement in the JCL or SYSIN input.

 

Resolution:

The ACFRPTEL report can be used to report on CERTIFICATE and KEYRING updates such as a delete of a KEYRING or CERTIFICATE or a CONNECT of a CERTIFICATE to a KEYRING.

The ACFRPTEL report uses standard CA-ACF2 report JCL like the following two examples for batch submission .

Example 1 Using PARM statement for report parameters.

  //REPORT  EXEC PGM=ACFRPTEL,PARM=('TITLE(SAMPLE ACFRPTEL)', 
  //       'DETAIL,TYPE(-)') 
  //SYSPRINT DD SYSOUT=* 
  //* THE FOLLOWING DDS SHOULD POINT TO THE SMF DATASETS 
  //RECMAN1  DD DISP=SHR,DSN=SYS1.MAN1 
  //RECMAN2  DD DISP=SHR,DSN=SYS1.MAN2 
  //RECMAN3  DD DISP=SHR,DSN=SYS1.MAN3

/?SYSIN DD * //*

Example 2 Using SYSIN file for report parameters.

  //REPORT  EXEC PGM=ACFRPTEL          
  //SYSPRINT DD SYSOUT=*               
  //* THE FOLLOWING DDS SHOULD POINT TO THE SMF DATASETS     
  //RECMAN1  DD DISP=SHR,DSN=SYS1.MAN4                       
  //RECMAN2  DD DISP=SHR,DSN=SYS1.MAN5                       
  //RECMAN3  DD DISP=SHR,DSN=SYS1.MAN6                       
//SYSIN DD * TITLE(SAMPLE ACFRPTEL) DETAIL TYPE(-) //*

DD statements
RECxxxxx
These ddnames identify the files containing the input SMF records. ACFRPTEL accepts one SMF input file per ddname. Do not concatenate SMF input files.

SYSPRINT
ACFRPTEL uses the SYSPRINT file for message and summary report output.

SAMPLE OUTPUT

The following sample output examples shows the ACFRPTEL reporting for the following CERTIFICATE/KEYRING changes.

  1. DELETE of a keyring

  2. CONNECT of a CERTIFICATE to a KEYRING

  3. DELETE of a CERTIFICATE

  4. GENCERT of a CERTIFICATE

  5. INSERT of a CERTIFICATE

  6. REMOVE a CERTIFICATE from a KEYRING

Example 1: Logonid USER003 DELETE KEYRING USER002.RING:

  eTrust CA-ACF2 Security - ACFRPTEL - INFORMATION STORAGE UPDATE LOG - PAGE    1 
  DATE 11/03/08 (08.308) TIME 09.57 SAMPLE ACFRPTEL                               
    DATE     TIME        JNAME    LID      MODULE   FUNCTION CPU  C-TYP-NAME    
    FIELD       OLD VALUE                NEW VALUE                              
  08.308 11/03 09:36       USER003  USER003  ACF0AENT DELETE   SYS1 P-USR-KEYRING USER002.RING 
   DEFAULT      ---NULLS---                                                     
   RINGNAME     MMM keyring                                                    

Example 2: Logonid USER004 CONNECT of certificate CERTAUTH.DESKTOP1 to KEYRING BES.RING:

  eTrust CA-ACF2 Security - ACFRPTEL - INFORMATION STORAGE UPDATE LOG - PAGE    1 
  DATE 11/03/08 (08.308) TIME 09.57 SAMPLE ACFRPTEL                               
    DATE     TIME        JNAME    LID      MODULE   FUNCTION CPU  C-TYP-NAME     
    FIELD       OLD VALUE                NEW VALUE                              
  08.308 11/03 09:38       USER004  USER004  ACF0AENT REPLACE  SYS1 P-USR-KEYRING BES.RING 
    CERTDATA     ---NULLS---              P-CERTAUTH.DESKTOP1                   
  08.308 11/03 09:38       USER004  USER004  ACF0AENT REPLACE  SYS1 P-USR-CERTDATACERTAUTH.DESKTOP1
     KEYRING      ---NULLS---              BES.RING                              

Example 3: Logonid USER005 DELETE of certificate CERTDATA.DELSRV:

  eTrust CA-ACF2 Security - ACFRPTEL - INFORMATION STORAGE UPDATE LOG - PAGE    1 
  DATE 11/03/08 (08.308) TIME 09.57 SAMPLE ACFRPTEL                               
    DATE     TIME        JNAME    LID      MODULE   FUNCTION CPU  C-TYP-NAME     
    FIELD       OLD VALUE                NEW VALUE                              
  08.308 11/03 09:39       USER005  USER005  ACF0AENT DELETE   SYS1 P-USR-CERTDATACERTDATA.DELSRV 
    ISSUERDN     CN=MMMLocalzOSCA.OU=                                           
                 Auditing Department.                                           
                 O=Company Name.C=US                                            
    KEYSIZE      1,024                                                          
    LABEL        DELServer                                                     
    SERIAL#      03                                                            
    SUBJDN       CN=ITOperations.OU=M                                          
                 yCo.C=US                                                      
    USERID       ---NOT AUTH---                                                 
  08.308 11/03 09:39       USER002  USER002  ACF0AENT DELETE   SYS1 P-USR-CERTKEYXCERTDATA.DELSRV 

Example 4: Logonid USER007 GENCERT of certificate SAMPLEX.CERT:

  eTrust CA-ACF2 Security - ACFRPTEL - INFORMATION STORAGE UPDATE LOG - PAGE    1 
  DATE 11/03/08 (08.308) TIME 09.57 SAMPLE ACFRPTEL                               
    DATE     TIME        JNAME    LID      MODULE   FUNCTION CPU  C-TYP-NAME    
    FIELD       OLD VALUE                NEW VALUE                              
  08.308 11/03 10:23       USER007  USER007  ACF0AENT INSERT   SYS1 P-USR-CERTKEYXSAMPLEX.CERT
  08.308 11/03 10:23       USER007  USER007  ACF0AENT INSERT   SYS1 P-USR-CERTDATASAMPLEX.CERT
    CERTNSER     ---NULLS---              0000000000000001                      
    LABEL        ---NULLS---              SAMPLEX.CERT                          

Example 5: USER009 INSERT of certificate CERTAUTH.LOCALMB from MVS DSN:

  eTrust CA-ACF2 Security - ACFRPTEL - INFORMATION STORAGE UPDATE LOG - PAGE    1 
  DATE 11/03/08 (08.308) TIME 09.57 SAMPLE ACFRPTEL                               
    DATE     TIME        JNAME    LID      MODULE   FUNCTION CPU  C-TYP-NAME    
    FIELD       OLD VALUE                NEW VALUE                             
  08.308 11/03 10:51       USER009  USER009  ACF0AENT INSERT   SYS1 P-USR-CERTDATACERTAUTH.LOCALMB
     *** NO FIELDS CHANGED ***                                                  

Example 6: Logonid USER006 REMOVE certificate MESRV.CERT from KEYRING MYRING.RING

  eTrust CA-ACF2 Security - ACFRPTEL - INFORMATION STORAGE UPDATE LOG - PAGE    1 
  DATE 11/03/08 (08.308) TIME 09.57 SAMPLE ACFRPTEL                               
    DATE     TIME        JNAME    LID      MODULE   FUNCTION CPU  C-TYP-NAME    
    FIELD       OLD VALUE                NEW VALUE                                
  08.308 11/03 12:21       USER006  USER006  ACF0AENT REPLACE  SYS1 P-USR-KEYRING 
    CERTDATA     C-CERTAUTH.MYCA,         C-CERTAUTH.MYCA                       
                 P-MESRV.CERT                                                   
    DEFAULT      MESRV.CERT               ---NULLS---                           
  08.308 11/03 12:21       USER006  USER006  ACF0AENT REPLACE  SYS1 P-USR-CERTDATA
    KEYRING      MYRING.RING              ---NULLS---                           

Details on the ACFRPTEL report can be found in "Chapter 5: ACFRPTEL-Infostorage Update Log" of the CA-ACF2 Security for z/OS Report and Utilities Guide.