When the CICS region is setup to use SSL processing, the KEYRING= DFHSIT parameter is used. The CICS region failed to start and the following messages were received
DFHXS1218 sysid THE CICS REGION USERID userid IS NOT AUTHORIZED TO ACCESS KEYRING ringname
DFHPA1909 sysid DATA ringname IS INVALID for KEYRING=. RESPECIFY KEYWORD AND DATA
How can the problem be resolved?
The parameter KEYRING points to a RINGNAME that is owned by the CICS region Logonid.
For example..
If the cics region runs under logonid CICS001 and you specified KEYRING=cicsring
the keyring that CICS would look for at initialization would be any keyring that has a record key of
CICS001.xxxxx . and would look for any keyring with a ringname of cics.ring
KEYRING / CICS001.RING1 LAST CHANGED BY xxxxxxx ON 05/08/17-10:57
DEFAULT(CICS001.CERT) RINGNAME(cicsring)
The following certificates are connected to this key ring:
CERTDATA record Label Usage
CERTAUTH.CHAIN CERTAUTH.CHAIN CERTAUTH
CERTAUTH.ISSUE CERTAUTH.ISSUE CERTAUTH
CERTAUTH.ROOT CERTAUTH.ROOT CERTAUTH
CICS001.CERT CICS001.CERT PERSONAL
This KEYRING would be selected. But will only be accepted if the owner also has read access to an RDATALIB resource owner.ringname.LST (in this example the resource would be CICS001.cicsring.LST)
An example Rule....
$KEY(CICS001) TYPE(RDA)
cicsring.LST UID(CICS001) SERVICE(READ) ALLOW
If the region logonid doesn't have access to the resource, the above messages will be issued.