About TSSXVSDT

TSSXVSDT Digital Certificate Backout › About TSSXVSDT

About TSSXVSDT

TSSXVSDT is a batch utility that assists in backing out of the VSAM digital certificate feature. Due to the VSAM requirement for r15, if digital certificates or keyrings must be backed out from the VSAM file, steps 15-22 of the VSAM Digital Certificate Backout procedure must be executed using r12 or r14 of CA Top Secret.

Important! If you maintain multiple security files through CPF, prevent CPF from sending the backout commands to multiple nodes. Work with each system and security file as a single entity.

Important! To no longer use the VSAM file, you must use an r14 and earlier release of CA Top Secret.

TSSXVSDT

This procedure is done on a system where the VSAM digital certificate feature is active and digital certificates and keyrings are loaded in the VSAM file.

Follow these steps:

Enter the command:
```
TSS LIST(ACIDS) DIGICERT(ALL)
```
A list of all digital certificates added to all users is displayed.
Count and record the number of certificates.
For each user displayed in the previous list, enter the command:
```
TSS LIST(user) DIGICERT(ALL)
```
Detailed information for all certificates belonging to the user is displayed.
Enter the command:
```
TSS LIST(ACIDS) KEYRING(ALL)
```
A list of all keyrings added to all users is displayed.
Count and record the number of keyrings.
For each user displayed in the previous list, enter the command:
```
TSS LIST(user) KEYRING(ALL)
```
Detail information for all keyrings belonging to the user is displayed.
Use the BACKUP control option to create a backup of both the current BDAM security file and the VSAM certificate file. The backups can be used to restore the files in the event of an emergency.
Edit the TSSXVSDT batch utility. Enter:
- The existing VSAM file containing the digital certificate and keyring records.
- A new VSAM file that will be defined by IDCAMS and populated by the batch utility.
- A sequential output file that will contain TSS EXPORT commands.
- A sequential output file that will contain TSS ADD commands.
- A SYSIN input statement with the format:
```
	DCDSN(xxxxxxx.xxxxxxxx.xxxxxxxxx)
```
  The name specified is used as a prefix to create the DCDSN operand on both the TSS EXPORT and TSS ADD commands created by the utility. The prefix can have a maximum length of 26 characters and must conform to standard MVS data set naming conventions.
- A SYSIN input statements with the format:
```
	PKCSPASS(pppppppp)
```
  The password specified is used to create the PKCSPASS operand on both the TSS EXPORT and TSS ADD commands created by the utility. The password can have a maximum length of 32 characters.
Run the TSSXVSDT batch utility:
The utility generates:
- A new VSAM file with all digital certificate records and keyring records removed, leaving only KERBEROS records if they exist.
- File CMDEXPT containing TSS EXPORT commands for all digital certificate records found in the existing VSAM file.
- File CMDADD containing TSS ADD commands for all digital certificate records and keyring records found in the existing VSAM file.
- A summary report listing the execution results of the utility and any errors found during processing. A non-zero completion code is accompanied by an error message that should be self-explanatory. Correct the error and rerun the utility as often as necessary.
  The summary report contains number of:
  - VSAM input records.
  - VSAM output records.
  - Digital certificate records deleted. This should match the number of certificates recorded in step 2.
  - Keyring records deleted. This should match the number of keyrings recoded in step 5.
Edit TSSXVTMP, enter the CMDEXPT file name created by the batch utility TSSXVSDT. This file holds the TSS EXPORT commands to be executed.
Run the batch job TSSXVTMP.
The batch job executes IKJEFT01 to read the TSS command file as input and execute the TSS EXPORT commands. The existing VSAM file is used as input to generate the DCDSN data sets with the certificate data required by the TSS ADD process. A unique data set is allocated and cataloged for each TSS EXPORT command executed, the data set names have the format:
```
DCDSN(xxxxxxxx.xxxxxxxx.xxxxxxxx.aaaaaaaa.dddddddd)
```
xxxxxxxx

The prefix specified on the input DCDSN statement.

aaaaaaaa

Specifies the ACID that owns the certificate.

dddddddd

Specifies the certificate name.
Edit batch job TSSXVOFF, enter:
- The name of the BDAM security file found on the SECFILE DD statement in your current TSS started task procedure.
- A SYSIN input statement with the format:
```
OFF vvvvvvvv
```
  vvvvvvvv
  
  Set to either VSAMDCRT or VSAMALL.
To disable all VSAM processing specify VSAMALL. To determine if VSAM is needed review the count of VSAM output records in step 9. If the count is 1 VSAM can be disabled. If the number of output records is greater than 1 you have KERBEROS records stored in VSAM that require continued VSAM processing and you should only disable certificate and keyring VSAM processing.

To disable VSAM digital certificate and keyring processing specify VSAMDCRT on the input statement. This allows the continued VSAM handling of KERBEROS records that have been migrated to VSAM.
Run batch job TSSXVOFF
The batch job turns off the appropriate VSAM feature flags located in the BDAM security file to disable VSAM processing.
Edit the TSS and TSSB started task procedures to reflect the new processing requirements:
- If you are disabling VSAM processing completely, remove all VSAM related DD statements from the procedures, including VSAMFILE, VSAMBKUP, VSAMAIX, and VSMPATH.
- If you are only disabling VSAM certificate and keyring processing, remove the DD statements for VSAMAIX and VSMPATH and modify the DD statement VSAMFILE to point at the new VSAM file generated by TSSXVSDT.
- If you are sharing the security file make the same modifications to the started task procedures on all systems.
Shut down and restart the CA Top Secret address space using the updated procedure. The restart should include the startup parameter:
```
REINIT (S TSS,,,REINIT)
```
If you are sharing the security file shut down and restart the CA Top Secret address space with the updated procedure on all systems as soon as possible to prevent the creation of new certificates and keyrings or the update of existing certificates and keyrings in VSAM that will not be reflected in the backout process.

When the TSS address space is restarted there will be no certificates or keyrings available for processing. Any product or process requiring a digital certificate should be quiesced until the certificates are completely restored.
Edit TSSXVTMP. Enter the CMDADD file name created by TSSXVSDT, this file holds the TSS ADD commands to be executed.
Run TSSXVTMP.
This job executes IKJEFT01 to read the TSS command file as input and execute the TSS ADD commands. The commands use the DCDSN data sets created by the TSS EXPORT commands as input to add the digital certificates to the appropriate users, add digital certificates to keyrings, and add keyrings to users where required.
Review the list output from the execution of the commands and make sure they completed successfully.
Shut down and restart the CA Top Secret address space using the procedure from step 15. The restart should include the startup parameter:
```
REINIT (S TSS,,,REINIT)
```
Repeat the TSS LIST commands in steps 1 to 6. The TSS LIST(ACIDS) is entered as TSS LIST(SDT) commands since the data is no longer in VSAM.
The commands provide a new directory of digital certificate and keyring objects after they have been restored to the BDAM security file.
Compare the TSS LIST command output to verify that all certificates and keyrings have been correctly restored to the BDAM security file. The digital certificate and keyring counts from both steps should match.
(Optional) Discard the command files and the DCDSN files generated to support the backout process.

Note: For information on the TSS EXPORT and TSS ADD commands for digital certificates and keyrings, see the Command Functions Guide and the Cookbook.