Enhancements to Existing Features › Product Enhancements r15 › z/OS 2.1 Support › Preventing Certificate Deletion and Rollover after GENREQ

Preventing Certificate Deletion and Rollover after GENREQ

The product now provides the following preventative measures when you are creating a digital certificate based on an existing certificate:

• If you issue the GENREQ command (to generate a request for creating a signed certificate to replace an existing certificate), the product prevents the deletion of the existing certificate until the following process is complete:
  • You have sent the request to a certificate authority and obtained the signed certificate from the authority.
  • The product has inserted the new certificate over the original certificate.

  Retaining the original certificate during the process prevents the loss of a private key when the product replaces the original certificate with the new certificate.

  Note: You can use the FORCE keyword to forcibly remove the original certificate if necessary (for example, if the GENREQ command was issued against this certificate in error).

• If you issue the GENREQ command, then request ROLLOVER processing prior to the signed certificate being returned and replacing the existing self-signed certificate, the product issues an error message. This process prevents the self-signed certificate being moved into the key rings where the original certificate was connected, at which point services using the key ring might not work in the intended manner.

Variable Substitution in the HOME Value for a MODLUSER ACID

When using a model record with BPX.UNIQUE.USER, you do not need to modify the user’s OMVS profile record to set the HOME value. You can specify a variable for the HOME value of a MODLUSER ACID. When MODLUSER information is added to a user’s ACID record, a user ID value replaces the variable. Substitution occurs as follows:

• Specifying &ACID (or a mixed-case entry) translates to an uppercase user ID value.
• Specifying &acid translates to a lowercase user ID value.

_POSIX_CHOWN_UNRESTRICTED Rule Changes

IBM APAR OA41364 introduced _POSIX_CHOWN_UNRESTRICTED rule changes that tighten the restrictions on non-superusers modifying the ownership of their files.

Prior to the changes, anybody could change the owner and group for their owned files to any UID and GID (when the CHOWNURS control option was turned on). Under the new rules, CHOWNURS is not supported. _POSIX_CHOWN_UNRESTRICTED mode is now in effect when resource CHOWN.UNRESTRICTED is defined in the UNIXPRIV class. User capability depends on level of access to CHOWN.UNRESTRICTED as follows:

• READ access provides the following authorization:
  • Allows a file owner to change the UID of the file to any non-0 UID.
  • Allows a file owner to change the GID of the file to a GID that is not in the owner's supplemental group list.
• UPDATE access allows the file owner to change the UID of the file to UID 0.