CSM Migration Tool CSM2ZOSM to z/OSMF gets certificate errors in RACF environment
search cancel

CSM Migration Tool CSM2ZOSM to z/OSMF gets certificate errors in RACF environment

book

Article ID: 272978

calendar_today

Updated On:

Products

CHORUS SOFTWARE MANAGER COMMON SERVICES FOR Z/OS Common Services

Issue/Introduction

Trying to run Broadcom's CSM Migration tool to migrate a CSI fails with either of the following errors:                                                                        

*ERROR* (hwthconn) at time: 06:07:15                                           
Rexx RC: 0, Toolkit ReturnCode: 262                                             
DiagArea.Service: 1245184                                                      
DiagArea.ReasonCode: 202                                                       
DiagArea.ReasonDesc: Error detected while opening the certificate database

*ERROR* (hwthconn) at time: 06:07:15                                           
Rexx RC: 0, Toolkit ReturnCode: 262                                             
DiagArea.Service: 1441793                                                        
DiagArea.ReasonCode: 428                                                        
DiagArea.ReasonDesc: Key entry does not contain a private key

Environment

Release : 6.0

Resolution

The RACF userid for the user running the CSM Conversion Tool needs access to the keyring and private key of the PERSONAL certificate that z/OSMF uses.

It is recommended to use the RDATALIB class in order to share the keyring and certificate with the IZUSVR task and users using the Conversion Tool. Here are the steps to do this in RACF:

  1. Define the RDATALIB class:

    RDEFINE RDATALIB ringowner.ringname.LST UACC(NONE)

    *Example for ringowner.ringname.LST is IZUSVR.IZUKEYRING.IZUDFLT.LST. Replace any instance of ringowner.ringname.LST with the appropriate values.

  2. Permit access for users that need access to the z/OSMF keyring:

    PERMIT ringowner.ringname.LST CLASS(RDATALIB) ID(userid_for_conversion_user) ACCESS(CONTROL)
    PERMIT ringowner.ringname.LST CLASS(RDATALIB) ID(userid_for_ISUSVR_STC) ACCESS(CONTROL)

  3. If the RDATALIB class is not active, activate and RACLIST it:

    SETROPTS CLASSACT(RDATALIB) RACLIST(RDATALIB)
  4. If the RDATALIB class is already active, run the following REFRESH command:

    SETROPTS RACLIST(RDATALIB) REFRESH

The alternative method would be to perform the following in order to use FACILITY class rules. It is much easier and highly recommended to use the RDATALIB class method above.

     If the certificate is not owned by SITE, complete 1-4. If SITE is the owner of the certificate skip to step 5:

  1. EXPORT the certificate to a dataset in PKCS12 format
  2. DELETE the certificate from the RACF database
  3. re-INSERT the certificate under an owner of SITE
  4. re-CONNECT the certificate with USAGE PERSONAL to the keyring
  5. Grant the user the following FACILITY class access:

PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(userid_for_conversion_user) ACCESS(UPDATE)
PERMIT IRR.DIGTCERT.GENCERT CLASS(FACILITY) ID(userid_for_conversion_user) ACCESS(CONTROL)

Powered by Wolken Software