Hi Dave, Thanks for the info. I feel like an idiot now - enter head-slap mode...
RACF was/is set up properly. All the directories and datasets "within" the /u/ekmserv are set with the correct ownership but I had missed setting ownership of the primary directory. D'oh!!! Rex -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Jousma, David Sent: Friday, October 17, 2014 6:28 AM To: [email protected] Subject: Re: old EKM software question Is the home directory defined in the omvs segment /u/ekmserv? Is that directory owned by ID EKMSERV? I suspect not, and is probably owned by uid 0 ID. Do a chown -R ekmserv /u/ekmserv We are a tss shop, and the id has the following facilities + the certificates needed. XA CSFKEYS = IRR.DIGTCERT.DEVL.EKMSERV. ACCESS = READ XA CSFKEYS = IRR.DIGTCERT.PROD.EKMSERV. ACCESS = READ XA IBMFAC = BPX.CONSOLE ACCESS = READ XA IBMFAC = BPX.DAEMON.HFSCTL ACCESS = READ XA IBMFAC = IRR.DIGTCERT.LIST ACCESS = READ XA IBMFAC = IRR.DIGTCERT.LISTRING ACCESS = READ _________________________________________________________________ Dave Jousma Assistant Vice President, Mainframe Engineering [email protected] 1830 East Paris, Grand Rapids, MIĀ 49546 MD RSCB2H p 616.653.8429 f 616.653.2717 -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Pommier, Rex Sent: Thursday, October 16, 2014 5:35 PM To: [email protected] Subject: old EKM software question Hi, Is anybody using the old encryption key manager for tape encryption? I'm working on setting it up using RACF as my key store. The documentation that comes with it says specifically that the userid that the EKM runs under does not need to be UID=0. However, when I try to start the EKM software, if I start it with the userid having root, the software starts up just fine. If I change the UID to something non-zero, the EKM fails to start. I can't find anything in the doc that says what authority I need to give the EKM userid and the extent of error messages I get is this (no RACF violations): Prod1:EKMSERV:/u/ekmserv: $ java -Djava.protocol.handler.pkgs=com.ibm.crypto.provider com.ibm.keymanager.EKMServer /u/ekmserv/KeyManagerConfig.properties Loaded drive key store successfully No symmetric keys in symmetricKeySet, LTO drives cannot be supported. EKMServer:serverParams shutdown complete.. Exception occurs while shutting down the server. shutting down EKM Server done Prod1:EKMSERV:/u/ekmserv: $ The audit shows this error - second to last stanza (snipped the non-error stanzas): Runtime event: outcome= result=successful event type=SECURITY_RUNTIME action=runEKMServer Resource management event: outcome= result=successful event type=SECURITY_MGMT_RESOURCE action=retrieve Resource management event: outcome= result=successful event type=SECURITY_MGMT_RESOURCE action=retrieve Runtime event: outcome= result=unsuccessful event type=SECURITY_RUNTIME message=no symmetric Key aliases LTO drives not supported. action=stop Runtime event: outcome= result=successful event type=SECURITY_RUNTIME action=runEKMServer Resource management event: outcome= result=successful event type=SECURITY_MGMT_RESOURCE action=retrieve Runtime event: timestamp=Thu Oct 16 15:22:36 GMT-05:00 2014 ComponentId= threadId=Thread main,5,main event source=com.ibm.keymanager.EKMServer outcome= result=unsuccessful event type=SECURITY_RUNTIME resource= name=EKM server;type=application action=start user= name=EKMAdmin Runtime event: outcome= result=successful event type=SECURITY_RUNTIME action=stop Does anybody have any thoughts offhand as to what authorizations I should give this ID - or are others running this as root? I'm thinking of just starting down the IRR.DIGTCERT type profiles granting access to see if I can find it but I'd rather not just shoot from the hip on this. TIA, Rex The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
