CSM Migration Tool CSM2ZOSM to z/OSMF gets certificate errors in ACF2 environment
search cancel

CSM Migration Tool CSM2ZOSM to z/OSMF gets certificate errors in ACF2 environment

book

Article ID: 265854

calendar_today

Updated On:

Products

ACF2 - z/OS ACF2 ACF2 - MISC COMMON SERVICES FOR Z/OS CHORUS SOFTWARE MANAGER

Issue/Introduction

Trying to run Broadcom's CSM Migration tool to migrate a CSI fails with either of the following errors:                                                                        

*ERROR* (hwthconn) at time: 06:07:15                                           
Rexx RC: 0, Toolkit ReturnCode: 262                                             
DiagArea.Service: 1245184                                                      
DiagArea.ReasonCode: 202                                                       
DiagArea.ReasonDesc: Error detected while opening the certificate database

*ERROR* (hwthconn) at time: 06:07:15                                           
Rexx RC: 0, Toolkit ReturnCode: 262                                             
DiagArea.Service: 1441793                                                        
DiagArea.ReasonCode: 428                                                        
DiagArea.ReasonDesc: Key entry does not contain a private key

 

     

                                                                                

 

 

 

 

Environment

Release : 16.0

Resolution

The logonid for the user running the CSM Conversion Tool needs access to the keyring and private key of the PERSONAL certificate that zOSMF uses.

It is recommended to use the RDATALIB class in order to share the keyring and certificate with the IZUSVR task and users using the Conversion Tool. Here are the steps to do this in ACF2:

  1. The RDATALIB class will need to be made resident if it is not already:

    SET C(GSO)
    CHANGE INFODIR TYPES(R-RRDA) ADD
    F ACF2,REFRESH(INFODIR)

  2. Write resource rules for resource name <ringowner>.<ringname>.LST. Users need READ and UPDATE access. 

    Example:
    SET R(RDA)
    RECKEY IZUSVR ADD( IZUKEYRING.IZUDFLT.LST UID(UID_for_conversion_user) SERVICE(READ,UPDATE) ALLOW)
    RECKEY IZUSVR ADD( IZUKEYRING.IZUDFLT.LST UID(UID_for_ISUSVR_STC) SERVICE(READ,UPDATE) ALLOW)
    F ACF2,REBUILD(RDA)

The alternative method would be to perform the following in order to use FACILITY class rules. It is much easier and highly recommended to use the RDATALIB class method above.

If the certificate is not owned by SITECERT, complete 1-4. If SITECERT is the owner of the certificate skip to step 5:

  1. EXPORT the certificate to a dataset in PKCS12 format
  2. DELETE the certificate from the ACF2 database
  3. re-INSERT the certificate under SITECERT.suffix
  4. re-CONNECT the certificate with USAGE PERSONAL to the keyring
  5. Grant the user the following FACILITY class access:

    1. READ and UPDATE access to IRR.DIGTCERT.LISTRING (READ so the logonid can read their own keyring if needed. UPDATE so they can read other's keyrings.)
    2. DELETE access to IRR.DIGTCERT.GENCERT
Powered by Wolken Software