IBM Security Key Lifecycle Manager for z/OS, Version 1.1

Setting up a user ID to run the Security Key Lifecycle Manager for z/OS

The Security Key Lifecycle Manager for z/OS requires a z/OS® user ID that identifies the Security Key Lifecycle Manager for z/OS process to z/OS. For production deployments, launch Security Key Lifecycle Manager for z/OS using the JZOS launcher, see Setting up and running Security Key Lifecycle Manager for z/OS in Production Mode. In addition, the Security Key Lifecycle Manager for z/OS must be able to retrieve the private key of your X.509 Digital Certificate. The private key must be retrieved when servicing Tape Write and Read requests. For RACF® type keystores the user ID under which the Security Key Lifecycle Manager for z/OS runs must be the owner of the certificate. See z/OS Security Server Security Administrator's Guide for an explanation of the rules that govern access to private keys and certificates.

In all the following examples, the user ID of ISKLMSRV is used.

This user ID must have an OMVS segment with a UID and GID defined. The UID need not be zero and can be any value. The home directory in this user ID's OMVS segment is where the Security Key Lifecycle Manager for z/OS is started. The user ID must also run the standard shell at login (/bin/sh), and be connected to a default group that has a GID. You can allow RACF to automatically assign the UID or explicitly define the UID. The ISKLMSRV user ID is a protected user. It cannot be logged on to.
Note: In OMVS, the configuration file permission is set so that only the owner can read or write the configuration file. If you log on and you are not the owner of the configuration file, you do not have permission to write to the configuration file. You might encounter an error similar to this: - java.io.FileNotFoundException: /u/isklmsrv/JA0/ISKLMConfig.properties.zos.JCECCARACFKS (EDC5111I Permission denied.) You might encounter this error when stopping the server, running the refresh operation, or changing passwords. For best practices, log on using the user ID with owner permissions.
The use of italics indicates fields that you can customize in this example.
AU ISKLMSRV DFLTGRP(SYS1) OMVS(AUTOUID HOME(/u/ISKLMSRV)PROGRAM(/bin/sh))
  NOPASSWORD NOOIDCARD
Parent topic: Installing the Security Key Lifecycle Manager for z/OS and Keystores

Feedback