How to establish the framework for TKLM or ISKLM for z/OS on my system?
As documented in the z/OS Initialization and Tuning Reference Guides, in the EKM section of the IECIOSxx member description:
In-band tape encryption requires that the IOS address space has security permission for a USS segment. The USS segment is only for TCP/IP connectivity. UID(0) or superuser ability is not
required. For example, in RACF, issue the following command:
ADDUSER IOSAS OMVS(UID(nnnn) HOME(’/’))
where nnnn is a unique numeric uid.
Be sure to include the STARTED class profiles (or comparable security definitions) so that the IOSAS address space is assigned the userid and its uid when it is started at IPL.
Sample commands to achieve this are:
RDEFINE STARTED IOSAS.* OWNER(owngrp) AUDIT(none) UACC(NONE)
RALTER STARTED IOSAS.* STDATA(USER(IOSAS) GROUP(group1))
Note: Ensure that IOSAS is connected to group1 and that group1 has an OMVS segment and gid.
|Security||IBM Security Key Lifecycle Manager for z/OS||z/OS||1.1||All Editions|
|Security||IBM Security Key Lifecycle Manager for z/OS|