The Security Key Lifecycle Manager for z/OS requires
a z/OS® user ID that identifies
the Security Key Lifecycle Manager for z/OS process
to z/OS. For production deployments,
launch Security Key Lifecycle Manager for z/OS using
the JZOS launcher, see Setting up and running Security Key Lifecycle Manager for z/OS in Production Mode.
In addition, the Security Key Lifecycle Manager for z/OS must
be able to retrieve the private key of your X.509 Digital
Certificate. The private key must be retrieved when servicing Tape
Write and Read requests. For RACF® type
keystores the user ID under which the Security Key Lifecycle Manager for z/OS runs
must be the owner of the certificate. See z/OS Security Server Security Administrator's
Guide for an explanation of the rules that govern access to private
keys and certificates.
In all the following examples, the user ID of ISKLMSRV is used.
This user ID must have an OMVS segment with a UID and GID defined.
The UID need not be zero and can be any value. The
home directory in this user ID's OMVS segment is where the
Security Key Lifecycle Manager for z/OS is
started. The user ID must also run the standard shell at login (/bin/sh),
and be connected to a default group that has a GID. You can allow RACF to automatically assign the
UID or explicitly define the UID. The ISKLMSRV user ID is a protected
user. It cannot be logged on to.
Note: In OMVS, the configuration file permission is set so
that only the owner can read or write the configuration file. If you
log on and you are not the owner of the configuration file, you do
not have permission to write to the configuration file. You might
encounter an error similar to this: - java.io.FileNotFoundException:
/u/isklmsrv/JA0/ISKLMConfig.properties.zos.JCECCARACFKS (EDC5111I
Permission denied.) You might encounter this error when stopping
the server, running the refresh operation, or changing passwords.
For best practices, log on using the user ID with owner permissions.
The use of italics indicates fields that you can customize in this
example.
AU ISKLMSRV DFLTGRP(SYS1) OMVS(AUTOUID HOME(/u/ISKLMSRV)PROGRAM(/bin/sh))
NOPASSWORD NOOIDCARD