Technical Blog Post
Abstract
Issuing Connect:Direct for z/OS Secure+ Certificate Expiration Validation (CR) and REFRESH (RF) Commands
Body
How to Get the Secure+ Certificate Expiration Validation Information With Initialization Parameters, IUI Commands, Console Commands, and Via DMBATCH.
You want to know when certificates in your C:D keyring or key database will expire. You would like to have plenty of notice to determine that the certificate is about to expire. This information can be provided by C:D automatically at start up and you can also have the validation command issued on a daily basis at a specific time of day. You can also set how far in advance that you would like to know that the certificate is approaching its expiration date so that you can take action to hopefully prevent an outage between you and your remote trading partners.
To get this information to be automatically reported in your joblog you will need to code the following initialization parameters:
1. CHECK.CERT.EXPIRE - This parameter indicates whether or not Sterling Connect:Direct will check the validity of certificates.
2. CHECK.CERT.EXPIRE.TIME - This parameter specifies the time of day that Sterling Connect:Direct will check the validity of certificates.
3. CHECK.CERT.EXPIRE.WARN.DAYS - This parameter specifies the number of days prior to the certificate expiration date that a warning message will be issued.
You can also check the certificates expiration date with a command. This command can be issued three ways:
1. You can log onto the IUI, go the ADMIN Menu, and enter S on the command line. From there you can issue the CR - Execute Certificate Expiration Validation Command.
2. You can issue the CR command from the console. Be sure that you have added the CR command to the SDGAOPLS file (OPLIST V5.0):
PROC 0
***
*** DISPLAY ACTIVE TASK
***
EXECUTE SECURE CERTCK
SIGNOFF
Be sure to load this into the SDGAOPLS (OPLIST) file as member CR.
3. You can issue the command from a DMBATCH batch job:
//JOBCARE JOB (ACCT INFO),**********',NOTIFY=&SYSUID,
// REGION=1024K,MSGCLASS=X,CLASS=Q
//************************************************************/
//* */
//* DMBATCH – ISSUE Secure+ CR COMMAND */
//* */
//************************************************************/
//DMBATCH EXEC PGM=DMBATCH,REGION=1024K,PARM=(YYSLYNN)
//STEPLIB DD DISP=SHR,DSN=YOUR.CD.SDGALINK
//DMNETMAP DD DISP=SHR,DSN=YOUR.CD.NETMAP
//DMPUBLIB DD DISP=SHR,DSN=YOUR.CD.SDGAPROC
//DMMSGFIL DD DISP=SHR,DSN=YOUR.CD.MSG
//DMPRINT DD SYSOUT=*
//NDMCMDS DD SYSOUT=*
//APITRACE DD SYSOUT=*
//SYSIN DD *
SIGNON
EXECUTE SECURE CERTCK
SIGNOFF
/*
//
For all of these the user issuing the command will have to have Secure+ security access.
Additional you can do the Secure REFRESH (RF) command from the IUI, console, or DMBATCH:
1. You can log onto the IUI, go the ADMIN Menu, and enter S on the command line. From there you can issue the RF - Execute Refresh Secure Plus Environment Command.
2. You can issue the RF command from the console. Be sure that you have added the RF command to the SDGAOPLS (OPLIST) file:
PROC 0
***
*** DISPLAY ACTIVE TASK
***
EXECUTE SECURE REFRESH
SIGNOFF
Be sure to load this into the SDGAOPLS (OPLIST) file as member RF.
3. You can issue the command from a DMBATCH batch job:
//JOBCARE JOB (ACCT INFO),**********',NOTIFY=&SYSUID,
// REGION=1024K,MSGCLASS=X,CLASS=Q
//************************************************************/
//* */
//* DMBATCH – ISSUE Secure+ RF COMMAND */
//* */
//************************************************************/
//DMBATCH EXEC PGM=DMBATCH,REGION=1024K,PARM=(YYSLYNN)
//STEPLIB DD DISP=SHR,DSN=YOUR.CD.SDGALINK
//DMNETMAP DD DISP=SHR,DSN=YOUR.CD.NETMAP
//DMPUBLIB DD DISP=SHR,DSN=YOUR.CD.SDGAPROC
//DMMSGFIL DD DISP=SHR,DSN=YOUR.CD.MSG
//DMPRINT DD SYSOUT=*
//NDMCMDS DD SYSOUT=*
//APITRACE DD SYSOUT=*
//SYSIN DD *
SIGNON
EXECUTE SECURE REFRESH
SIGNOFF
/*
//
//
UID
ibm11123569