CICS DFHXS1218 Access error on ACF2 key ring / certificate
search cancel

CICS DFHXS1218 Access error on ACF2 key ring / certificate

book

Article ID: 247408

calendar_today

Updated On:

Products

ACF2 - z/OS

Issue/Introduction

CICS region getting errors access a Keyring:
+DFHXS1218 CICSname The CICS region userid CICSname is not authorized to access keyring TSTRING
  DFHPA1909 CICSnameSYSA DATA INVALID FOR 'KEYRING'. RESPECIFY KEYWORD AND DATA OR BYPASS WITH '.END': 'TSTRING'.

Environment

Release : 16.0

Component : ACF2 for z/OS

Resolution

Getting resource class FACILITY violations for resource IRR.DIGTCERT.LISTRING for the CICS region.

There are two resource checks for a task(in this case CICSname) to access a Keyring. If the first check fails, the second check is done. 

  1. Ring-specific profile checking
    Resource Class:  RDATALIB  * ACF2 default TYPE(RDA)
    Resource:  <ringOwner>.<ringName>.LST
    Access:  READ

  2. Global profile checking
    Resource Class:  FACILITY  * ACF2 default TYPE(FAC)
    Resource:  IRR.DIGTCERT.LISTRING
    Access:   READ allows access to key ring that owned* by the user's own userid.
                    UPDATE allows access to a key ring that is owned* by another user's userid

When logonid CICSname did not have NON-CNCL both checks failed. To allow logonid CICSname access to the keyring using the 'Global profile checking' you can update the TYPE(FAC) $KEY(IRR.DIGTCERT.LISTRING) to give logonid CICSname access. For example using the RECKEY command:

ACF
SET RESOURCE(FAC)
RECKEY IRR.DIGTCERT.LISTRING ADD( UID(*************CICSname) SERVICE(READ) ALLOW)
F ACF2,REBUILD(FAC)

Powered by Wolken Software