Various key ring utilities that interact with z/OS RACF key rings using R_datalib API and GSK APIs.
The keyring-util tool is the primary artifact produced by this repository.
The keyring-util program leverages R_datalib callable service and GSK CSM APIs to perform various operations on digital certificates and RACF key rings. GSM CSM APIs are preferred when available, however, they don't always return complete metadata surrounding certificate definitions, which the R_datalib callable services will provide.
Enter the build/ directory and execute the build.sh script
keyring-util function userid keyring labelParameters:
functionsee Functions section belowuserid- an owner of thekeyringandlabelcertificatekeyring- a name of the keyring- (Optional)
-v: verbose logging. - Command-specific arguments, see Functions Supported Arguments.
-
LISTRING- lists keyring contents in a summarized format containing Label, Owner, Usage, Status, and Default.- Supported Arguments:
-l <label>: Optional. Limits output to certificates with an alias matchinglabel.-u <usage>: Optional. Limits output to certificates with USAGE matching<usage>. One ofCERTAUTH,PERSONAL,OTHER.--label-only: Optional. Limits output to the label field only. Higher priority than--owner-only.--owner-only: Optional. Limits output to the owner field only.
- Examples:
keyring-util NEWRING USER01 RING02keyring-util NEWRING USER01 RING02 -l SOMELBLkeyring-util NEWRING USER01 RING02 -u PERSONAL --label-only
- Supported Arguments:
-
NEWRING- creates a keyring- Example:
keyring-util NEWRING USER01 RING02
- Example:
-
DELRING- deletes a keyring- Example:
keyring-util DELRING USER01 RING02
- Example:
-
DELCERT- remove a certificate from a keyring or deletes a certificate from RACF database- Supported Arguments:
-l <label>: Required. Specifies the certificate to be removed by label. Current Limitation: TheDELCERTfunction can only manipulate a certificate that is owned by theuserid, i.e. it can't work with certificates owned by the CERTAUTH, SITE or different userid.
The following example removes
CERT03certificate owned by theUSER01from theRING02keyring owned by theUSER01userid- Example:
keyring-util DELCERT USER01 RING02 -l CERT03
The following example removes
CERT03certificate owned by theUSER01from the RACF database. The command fails if the certificate is still connected to some keyring.- Example:
keyring-util DELCERT USER01 '*' -l CERT03
- Supported Arguments:
-
EXPORT- exports a certificate in PEM format. The file is created in apwddirectory with a name of<cert_alias>.pem-
Supported Arguments:
-l <label>: Required. Specifies the certificate to be exported by label.
-
Example:
keyring-util EXPORT USER01 RING02 -l CERT03- Creates a file CERT03.pem.
-
-
IMPORT- imports a certificate from the PKCS12 format. The certificate can be connected to a keyring asPERSONALorCERTAUTH.- Supported Arguments:
-l <label>: Required. Specifies the certificate label of the created keyring certificate.-u <usage>: Required. One ofCERTAUTH,PERSONAL.-f </path/to/p12/file>: Required. Specifies the path to the PKCS12 certificate being imported.-p <pkcs12-password>: Required. Specifies the password required to open the PKCS12 certificate specified by-f.
Warning: The scenario where a private key is also imported currently works only with RACF.
- Example:
keyring-util IMPORT USER01 RING02 -l CERT03 -u PERSONAL -f /path/to/file.p12 -p pkcs12_password
- Supported Arguments:
-
REFRESH- refreshes DIGTCERT class- Example:
keyring-util REFRESH
- Example:
For any return and reason codes, check R_datalib return and reason codes
There is room for improvement:
- command line argument processing and syntax (perhaps using the argp library from ambitus project)
- an extension of functionality of the current R_datalib functions
- adding support for other R_datalib functions
Work with the following resource if you want to add support for other R_datalib functions Data areas for R_datalib callable service