Hi Vince,
I'm glad you are trying to get things running. I think I probably need
to tweak the documentation some in relation to the Google Cloud Platform and
using the JSON credentials that they create. In short, a Crypto Express card is
required if you are going to use the credentials file from GCP. The cause of
that is because the credentials file has an RSA private key as part of it, and
we need to import that into the ICSF PKDS. That import process requires the
crypto card.
The allow-No-CEX setting applies only to the AES256 key that is saved
in the ICSF CKDS, and it means that you are okay with the reduced security of
the encryption key because there is no Crypto Express card with a master key to
wrap that encryption key as it is stored in the CKDS. (Without the CEX, the
encryption key is 'in the clear' in the CKDS, so anyone that can access the
CKDS can get the encryption key.)
Sincerely,
Andrew Wilt
DFSMSdfp CDA (Cloud Data Access) Product Owner
IBM Z Content Solutions | IBM z/OS Cloud Data Access
z/OS DFSMS Community
-----Original Message-----
From: IBM Mainframe Discussion List <[email protected]> On Behalf Of
Vince Re
Sent: Thursday, February 19, 2026 7:17 AM
To: [email protected]
Subject: [EXTERNAL] Help configuring GDKUTIL on system with no crypto processor
I have Google service account credentials in a JSON file that I want to
configure GDKUTIL to work with, but I can't get it configured. This is on z/OS
3.1 and GDKUTIL is at UJ97023.
Some of the documentation I've read suggests that with "allow-no-CEX": true in
the configuration file (~/gdk/config.json), this should work, but I don't seem
able to get it configured properly - I get "Keyfile doesn't have any entries
specified for the current user" no matter what I try.
So far, I copied the sample from /usr/lpp/dfsms/gdk/providers/GCP.json to
~/gdk/providers/GCP.json and changed the obviously missing things in it, like
the region.
In my ~/gdk/config.json, I have "allow-no-CEX": true. In my ~/gdk/gdkkeyf, I
have a file like this:
{
"Credentials": [
{
"user": "<username>",
"provider": "GCP",
"key_data": {
<copy of the service account JSON file from Google>
}
}
]
}
I tried running GDKAUTHP (EX ‘SYS1.SAXREXEC(GDKAUTHP)’). It shows the "GCP"
cloud provider (presumably from my GCP.json file), but the Encryption
Parameters "Provider" option is blank both on the initial and subsequent
screen. If I try to save the credentials, I get "Specify all parameters
please!" as an error message.
I also tried GDKUTIL CREDENTIAL(ADD) PROVIDER(GCP), but it gives me this error:
GDKU0101E ERROR DURING CREDENTIALS(ADD) REQUEST. GDKRC=117: The GDKKEYAD
service was unable to generate a symmetric key
ERROR: encryptKeys: Unable to generate a key. CSNBKGN rc: 12, rsn:0000
I get this error even though I have ICSF running, the CKDS/PKDS initialized,
and the correct (far as I can tell) RACF options to allow me to do this (there
are no security violations on the console, at least). That RC 12 seems to be
saying that GDKUTIL tried something not allowed without a crypto card. I think
I have the PTF for OA67674 installed properly that's supposed to honor
"allow-no-CEX", but it doesn't seem to be working for me. GDKUTIL doesn't seem
to honor the "log-level": "DEBUG" tag in the configuration file, so there's
little added information.
I verified that all my JSON files are syntactically okay by cutting and pasting
them into an online JSON parser - no obvious syntax errors. I've also tried
storing the JSON files in both EBCDIC and ASCII with no difference.
In desperation, I wrote a small C program that calls GDKINIT and GDKWRITE; it
has the same behavior.
Does anyone maybe have a working GCP example you can share, or any hints at all
about how to diagnose this?
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
[email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
