Hi,
Is anybody using the old encryption key manager for tape encryption? I'm
working on setting it up using RACF as my key store. The documentation that
comes with it says specifically that the userid that the EKM runs under does
not need to be UID=0. However, when I try to start the EKM software, if I
start it with the userid having root, the software starts up just fine. If I
change the UID to something non-zero, the EKM fails to start. I can't find
anything in the doc that says what authority I need to give the EKM userid and
the extent of error messages I get is this (no RACF violations):
Prod1:EKMSERV:/u/ekmserv: $ java
-Djava.protocol.handler.pkgs=com.ibm.crypto.provider
com.ibm.keymanager.EKMServer /u/ekmserv/KeyManagerConfig.properties
Loaded drive key store successfully
No symmetric keys in symmetricKeySet, LTO drives cannot be supported.
EKMServer:serverParams shutdown complete..
Exception occurs while shutting down the server.
shutting down EKM Server done
Prod1:EKMSERV:/u/ekmserv: $
The audit shows this error - second to last stanza (snipped the non-error
stanzas):
Runtime event:
outcome= result=successful
event type=SECURITY_RUNTIME
action=runEKMServer
Resource management event:
outcome= result=successful
event type=SECURITY_MGMT_RESOURCE
action=retrieve
Resource management event:
outcome= result=successful
event type=SECURITY_MGMT_RESOURCE
action=retrieve
Runtime event:
outcome= result=unsuccessful
event type=SECURITY_RUNTIME
message=no symmetric Key aliases LTO drives not supported.
action=stop
Runtime event:
outcome= result=successful
event type=SECURITY_RUNTIME
action=runEKMServer
Resource management event:
outcome= result=successful
event type=SECURITY_MGMT_RESOURCE
action=retrieve
Runtime event:
timestamp=Thu Oct 16 15:22:36 GMT-05:00 2014
ComponentId= threadId=Thread main,5,main
event source=com.ibm.keymanager.EKMServer
outcome= result=unsuccessful
event type=SECURITY_RUNTIME
resource= name=EKM server;type=application
action=start
user= name=EKMAdmin
Runtime event:
outcome= result=successful
event type=SECURITY_RUNTIME
action=stop
Does anybody have any thoughts offhand as to what authorizations I should give
this ID - or are others running this as root?
I'm thinking of just starting down the IRR.DIGTCERT type profiles granting
access to see if I can find it but I'd rather not just shoot from the hip on
this.
TIA,
Rex
The information contained in this message is confidential, protected from
disclosure and may be legally privileged. If the reader of this message is not
the intended recipient or an employee or agent responsible for delivering this
message to the intended recipient, you are hereby notified that any disclosure,
distribution, copying, or any action taken or action omitted in reliance on it,
is strictly prohibited and may be unlawful. If you have received this
communication in error, please notify us immediately by replying to this
message and destroy the material in its entirety, whether in electronic or hard
copy format. Thank you.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
