z/OS Cryptographic Services System SSL Programming
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Setting up the environment to run gskkyman

z/OS Cryptographic Services System SSL Programming
SC14-7495-00

gskkyman uses the DLLs that are installed with System SSL and must have access to these at run time. gskkyman must also have access to the message catalogs. The /bin directory includes a symbolic link to gskkyman, therefore, if your PATH environment variable contains this directory, gskkyman is located. If your PATH environment variable does not contain this directory, add /usr/lpp/gskssl/bin to your PATH using: 

     PATH=$PATH:/usr/lpp/gskssl/bin

/usr/lib/nls/msg/En_US.IBM-1047 (and /usr/lib/nls/msg/Ja_JP.IBM-939 for JCPT41J installations) include symbolic links to the message catalogs for gskkyman. If they do not include these links, add /usr/lpp/gskssl/lib/nls/msg to your NLSPATH using this command: 

     export NLSPATH=$NLSPATH:/usr/lpp/gskssl/lib/nls/msg/%L/%N
This setting assumes that your environment has the LANG environment variable set to En_US.IBM-1047 (or Ja_JP.IBM-939 for JCPT41J installations that expect Japanese messages and prompts). If LANG is not set properly, set the NLSPATH environment variable using this command: 
     export NLSPATH=/usr/lpp/gskssl/lib/nls/msg/En_US.IBM-1047/%N:$NLSPATH
or for JCPT41J installations that expect Japanese messages and prompts: 
     export NLSPATH=/usr/lpp/gskssl/lib/nls/msg/Ja_JP.IBM-939/%N:$NLSPATH

The DLLs for System SSL are installed into a partitioned data set (PDSE) in HLQ.SIEALNKE. These DLLs are not installed in SYS1.LPALIB by default. If System SSL is to execute in FIPS mode, the DLLs in the HLQ.SIEALNKE data set cannot be put into the LPA.

If the System SSL DLLs are not in either the dynamic LPA or system link list, you must set the STEPLIB environment variable to find the DLLs. For example: 
     export STEPLIB=$STEPLIB:<HLQ>.SIEALNKE

During installation, the sticky bit is set on for the gskkyman utility. If the sticky is turned off, attempts to invoke the gskkyman utility results in message GSK00009E indicating that a problem exists with the installation of the SSL utility, gskkyman.

To check the sticky bit setting, issue: 
ls -l /usr/lpp/gskssl/bin/gskkyman
The first part of the output should be:
-rwxr-xr-t

The t indicates that the sticky bit is on.

To set the sticky bit on, from an authorized id, issue: 
chmod +t /usr/lpp/gskssl/bin/gskkyman
If access to the ICSF callable services are protected with CSFSERV class profiles on your system, the user ID issuing the gskkyman utility might need to be given READ authority to call ICSF callable services CSFIQA, CSFPPRF, CSFPGKP, CSFPGSK, CSFPGAV, CSFPTRD, CSFPTRC, CSFPPKS, and CSFPPKV. If these callable services are protected with a generic CSF* profile in the CSFSERV class, access can be granted by entering:
PERMIT CSF* CLASS(CSFSERV) ID(user-ID) ACCESS(READ)
SETROPTS RACLIST(CSFSERV) REFRESH
Parent topic: Certificate/Key management

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014