Got "The private key of KEYX is not available or no authority to access the private key" with ESP REST API STC

search cancel

Got "The private key of KEYX is not available or no authority to access the private key" with ESP REST API STC

book

Article ID: 393869

calendar_today

Updated On:

Products

ESP Workload Automation

Issue/Introduction

ESP REST API STC failed with RC 0100 and following error:

(JAVA Error excerpt)

Caused by: java.io.IOException: The private key of KEYX is not available or no authority to access the private key

And found below from RACF TLS configuration:
- The keyring is owned by USER1, however the RESTAPI runs under USER2.
- The certificate is SITE certificate.
- The certificate contains the private key. Listing the certificate shows Private Key: YES
- The private key is not stored in crypto processor - the certificate listing does not contain PKDS Label:

Environment

Component: REST API
Release: ALL

Cause

The keyring is owned by USER1, however the RESTAPI runs under USER2. To read another user's certificate, IRR.DIGTCERT.LISTRING access UPDATE is required.

The certificate is SITE certificate. To access the private key of the SITE certificate the USER2 needs IRR.DIGTCERT.GENCERT access CONTROL and if using IRR.DIGTCERT.* profile in RDATALIB class, then it needs CONTROL authority to the <ringOwner>.<ringName>.LST resource in the RDATALIB class:

Resolution

Resolved after following changes for ESP REST API STC user ID USER2 in RACF:
CONTROL access to IRR.DIGTCERT.GENCERT
UPDATE access to IRR.DIGTCERT.LISTRING
CONTROL access to ** in RDATALIB

Additional Information

See more in IBM online manual:
https://www.ibm.com/docs/en/zos/2.5.0?topic=certificates-racdcert-listring-list-key-ring

https://www.ibm.com/docs/en/zos/2.5.0?topic=is-scenario-7-sharing-one-certificate-among-multiple-servers

Feedback

thumb_up Yes

thumb_down No