I would use a different approach: 1. Map all applications that require a certificate. 2. use SMF (or alternatives such as z/secure or ca-cleanup) to see who is using them. 3. get all certificates assigned to all users in their keyring. 4. propagate the information. If user A uses application B that requires a certificate, and the certificate is in the keyring of the user, it is active. otherwise not (depending on the time window that you take the risk of deleting certificates). You can remove the certificate from the keyring, but keep it in racf in case you will need to recover it. 5. depending on you ability to supply application usage data, I can develop a rexx that you only need to update this infor into it. 6.
Best, ITschak *|** IronSphere Platform* *|* *Information Security Continuous Monitoring for z/OS, x/Linux & IBM I | NEW: Support for all WUL platforms!* On Wed, Oct 22, 2025 at 11:47 AM Colin Paice < [email protected]> wrote: > Pagent cannot tell you this information. > I can use TLS without using pageant, and so pagent would miss it. > > I do not think RACF does not have the facility to report what is used or > not. You can display which certificates are on a keyring, and then > display information about the certificate, > The callable services R_datalib (IRRSDL00 or IRRSDL64): Certificate Data > Library does not provide this information > There is an RDATALIB profile for IRR.DIGTCERT.<certOwner>.<certLabel> - but > only if you add/alter/delete it > > Colin > > On Tue, 21 Oct 2025 at 19:38, Peter Ten Eyck < > [email protected]> wrote: > > > Is there a way to report on what certificates within a given key ring are > > being used? Of course, the expired stuff can be removed, but I would like > > to verify that all the non-expired stuff is actually being used? > > > > I played around with z/Secure access monitored records and some SMF > > records via z/Secure but was unsuccessful. > > > > Could PAGENT tell me something? > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
