ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

GIM69137S Using SMP/e Internet Retrieval With Shared Certificate In Top Secret

book

Article ID: 212496

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

When a user attempts to run SMP/E Internet Service Retrieval using a shared certificate, the following is received:                                 

GIM69137S ** USERID aaaaaaaa IS NOT AUTHORIZED TO ACCESS KEY RING uuuuuuuu/kkkkkkkk.  

The ORDERSERVER statement looks like this:

//ORDSRVR DD *
   <ORDERSERVER
     url="https://eapi.broadcom.com/receiveorder"
     keyring="uuuuuuuu/kkkkkkkk"
     certificate="cccccccc"
     inventory="all">
  </ORDERSERVER>

where:
'uuuuuuuu' is the ACID that owns the certificate
'kkkkkkkk' is the keyring name
'cccccccc' is the user certificate label

Does each user need to download their own user certificate or can they share the certificate on the owning ACID?

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

Users can share the same certificate on the owning ACID. The user(s) will need to be permitted the following:

IBMFAC(IRR.DIGTCERT.LIST) ACC(CONTROL)
IBMFAC(IRR.DIGTCERT.LISTRING) ACC(UPDATE)

These permits are required so the acid has permission to read other user’s key rings and certificates.