Zowe setting up zowe server ID to access digital certificates and KEYRINGs
Article ID: 281298
Updated On:
Products
Brightside
Issue/Introduction
Sandbox is showing multiple issues. "Eureka request failed to endpoint", "Caused by: java.io.IOException: R_datalib (IRRSDL00) error: not RACF authorized to use the requested service (8, 8, 8) "
Environment
Zowe:all release
Cause
The issue happens when the STC user doesn't have control of the keyring
Resolution
with RACF: To permit the zowe server ID to access the keyring, certificate, and private key, either use the FACILITY class or the RDATALIB class, as follows:
In this scenario:
• Certificate is signed by an external CA.
• Key ring name is RING01.
• Certificate and key ring are owned by ZWESVUSR, which is the zowe server user ID.
To use the FACILITY class:
1. Grant the zowe server user ID UPDATE access to the key ring.
(ZWESVUSR), the zowe server user ID needs this access.
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(ZWESVUSR) ACCESS(UPDATE)
2. If the FACILITY class is not already active, activate and RACLIST it:
SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY)
3. If the FACILITY class is already active and RACLISTed, refresh it:
SETROPTS RACLIST(FACILITY) REFRESH
4. Permit the zowe server to access the private key. It needs CONTROL access to IRR.DIGTCERT.GENCERT.
PERMIT IRR.DIGTCERT.GENCERT CLASS(FACILITY) ID(ZWESVUSR) ACCESS(CONTROL)
To use the RDATALIB class:
1. Define the RDATALIB class:
RDEFINE RDATALIB ZWESVUSR.RING01.LST UACC(NONE)
PERMIT ZWESVUSR.RING01.LST CLASS(RDATALIB) ID(ZWESVUSR) ACCESS(CONTROL)
2. If the RDATALIB class is not already active, activate it and RACLIST it, as follows:
SETROPTS CLASSACT(RDATALIB) RACLIST(RDATALIB)
3. If the RDATALIB class is already active and RACLISTed, refresh it, as follows:
SETROPTS RACLIST(RDATALIB) REFRESH
Additional Information
For additional information please reference :
Feedback
Yes
No
Powered by
