Preparing IOSAS to use TKLM for z/OS or ISKLM for z/OS

Technote (FAQ)


Question

How to establish the framework for TKLM or ISKLM for z/OS on my system?

Answer

As documented in the z/OS Initialization and Tuning Reference Guides, in the EKM section of the IECIOSxx member description:

In-band tape encryption requires that the IOS address space has security permission for a USS segment. The USS segment is only for TCP/IP connectivity. UID(0) or superuser ability is not
required. For example, in RACF, issue the following command:
ADDUSER IOSAS OMVS(UID(nnnn) HOME(’/’))
where nnnn is a unique numeric uid.

Be sure to include the STARTED class profiles (or comparable security definitions) so that the IOSAS address space is assigned the userid and its uid when it is started at IPL.

Sample commands to achieve this are:
RDEFINE STARTED IOSAS.* OWNER(owngrp) AUDIT(none) UACC(NONE)
and
RALTER STARTED IOSAS.* STDATA(USER(IOSAS) GROUP(group1))

Note: Ensure that IOSAS is connected to group1 and that group1 has an OMVS segment and gid.


Cross reference information
Segment Product Component Platform Version Edition
Security IBM Security Key Lifecycle Manager for z/OS z/OS 1.1 All Editions
Security IBM Security Key Lifecycle Manager for z/OS

Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Security Key Lifecycle Manager
zOS

Software version:

1.0.0

Operating system(s):

z/OS

Software edition:

Enterprise

Reference #:

1427613

Modified date:

2014-03-07

Translate my page

Machine Translation

Content navigation