Pommier, Rex wrote: >Is anybody using the old encryption key manager for tape encryption?
Not me, so please do not take me seriously. Ok? ;-) >I'm working on setting it up using RACF as my key store. The documentation >that comes with it says specifically that the userid that the EKM runs under >does not need to be UID=0. However, when I try to start the EKM software, if >I start it with the userid having root, the software starts up just fine. If >I change the UID to something non-zero, the EKM fails to start. What about setting RACF AUDIT on for that id (ATTRIBUTES=UAUDIT ) (and stop start the EKM software to pick u the changes) and perhaps turn on auditing (success and failure) for profiles in one class after the other until you get the profile? > I can't find anything in the doc that says what authority I need to give the > EKM userid and the extent of error messages I get is this (no RACF > violations): >No symmetric keys in symmetricKeySet, LTO drives cannot be supported. >Does anybody have any thoughts offhand as to what authorizations I should give >this ID - or are others running this as root? What about trying z/OS SSL Trace? (GSKSRVR and friends) >I'm thinking of just starting down the IRR.DIGTCERT type profiles granting >access to see if I can find it but I'd rather not just shoot from the hip on >this. It could help. AFAIK, IRR.DIGTCERT.<???> has no relevance with the UID status, but I could be wrong, especially if your certs and keys are not stored in RACF. Alternatively try to contact the vendor of EKM. As I stated, I have NO knowledge about that. Good luck! Groete / Greetings Elardus Engelbrecht ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
