I have Google service account credentials in a JSON file that I want to
configure GDKUTIL to work with, but I can't get it configured. This is on z/OS
3.1 and GDKUTIL is at UJ97023.
Some of the documentation I've read suggests that with "allow-no-CEX": true in
the configuration file (~/gdk/config.json), this should work, but I don't seem
able to get it configured properly - I get "Keyfile doesn't have any entries
specified for the current user" no matter what I try.
So far, I copied the sample from /usr/lpp/dfsms/gdk/providers/GCP.json to
~/gdk/providers/GCP.json and changed the obviously missing things in it, like
the region.
In my ~/gdk/config.json, I have "allow-no-CEX": true. In my ~/gdk/gdkkeyf, I
have a file like this:
{
"Credentials": [
{
"user": "<username>",
"provider": "GCP",
"key_data": {
<copy of the service account JSON file from Google>
}
}
]
}
I tried running GDKAUTHP (EX ‘SYS1.SAXREXEC(GDKAUTHP)’). It shows the "GCP"
cloud provider (presumably from my GCP.json file), but the Encryption
Parameters "Provider" option is blank both on the initial and subsequent
screen. If I try to save the credentials, I get "Specify all parameters
please!" as an error message.
I also tried GDKUTIL CREDENTIAL(ADD) PROVIDER(GCP), but it gives me this error:
GDKU0101E ERROR DURING CREDENTIALS(ADD) REQUEST. GDKRC=117: The GDKKEYAD
service was unable to generate a symmetric key
ERROR: encryptKeys: Unable to generate a key. CSNBKGN rc: 12, rsn:0000
I get this error even though I have ICSF running, the CKDS/PKDS initialized,
and the correct (far as I can tell) RACF options to allow me to do this (there
are no security violations on the console, at least). That RC 12 seems to be
saying that GDKUTIL tried something not allowed without a crypto card. I think
I have the PTF for OA67674 installed properly that's supposed to honor
"allow-no-CEX", but it doesn't seem to be working for me. GDKUTIL doesn't seem
to honor the "log-level": "DEBUG" tag in the configuration file, so there's
little added information.
I verified that all my JSON files are syntactically okay by cutting and pasting
them into an online JSON parser - no obvious syntax errors. I've also tried
storing the JSON files in both EBCDIC and ASCII with no difference.
In desperation, I wrote a small C program that calls GDKINIT and GDKWRITE; it
has the same behavior.
Does anyone maybe have a working GCP example you can share, or any hints at all
about how to diagnose this?
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
