How to define the keyrings and certificates to CICS? During CICS startup getting messages DFHXS1218 and DFHPA1909

book

Article ID: 14526

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - z/OS CA ACF2 - MISC

Issue/Introduction

When the CICS region is setup to use SSL processing, the KEYRING= DFHSIT parameter is used. The CICS region failed to start and the following messages were received
 

DFHXS1218 sysid THE CICS REGION USERID userid IS NOT AUTHORIZED TO ACCESS KEYRING ringname
DFHPA1909 sysid DATA ringname IS INVALID for KEYRING=.                 RESPECIFY KEYWORD AND DATA 

How can the problem be resolved?

Environment

Release: ACF2..001AO-16-ACF2
Component:

Resolution

The parameter KEYRING points to a RINGNAME that is owned by the CICS region Logonid.

For example..

If the cics region runs under logonid CICS001  and you specified KEYRING=cicsring
the keyring that CICS would look for at initialization would be any keyring that has a record key of 
CICS001.xxxxx . and would look for any keyring with a ringname of cics.ring

KEYRING / CICS001.RING1 LAST CHANGED BY xxxxxxx ON 05/08/17-10:57 
DEFAULT(CICS001.CERT) RINGNAME(cicsring) 
The following certificates are connected to this key ring: 

CERTDATA record     Label               Usage
CERTAUTH.CHAIN      CERTAUTH.CHAIN      CERTAUTH 
CERTAUTH.ISSUE      CERTAUTH.ISSUE      CERTAUTH
CERTAUTH.ROOT       CERTAUTH.ROOT       CERTAUTH
CICS001.CERT        CICS001.CERT        PERSONAL

This KEYRING would be selected. But will only be accepted if the owner also has read access to an RDATALIB resource owner.ringname.LST  (in this example the resource would be CICS001.cicsring.LST)

An example Rule....

$KEY(CICS001) TYPE(RDA)
cicsring.LST UID(CICS001) SERVICE(READ) ALLOW

If the region logonid doesn't have access to the resource, the above messages will be issued.