Additional user ID requirements for TLS on z/OS
This information describes the additional requirements your user ID needs to set up and work with TLS on z/OS®.
Ensure that you have all the appropriate High Impact or Pervasive (HIPER) updates on your system.
If the key repository is owned by the CHINIT user ID, this user ID needs read access to the IRR.DIGTCERT.LISTRING profile in the FACILITY class, and update access otherwise, and read access to the IRR.DIGTCERT.LIST profile. Grant access by using the PERMIT command with ACCESS(UPDATE) or ACCESS(READ) as appropriate
- The ssidCHIN user ID is defined correctly in RACF®, and that the ssidCHIN user ID has
appropriate access to the following profiles:
- IRR.DIGTCERT.LIST
- IRR.DIGTCERT.LISTRING
- The ssidCHIN user ID is the owner of the key ring.
- The personal certificate of the queue manager, if created by the RACDCERT command, is created with a certificate type user ID that is also the same as the ssidCHIN user ID.
- The channel initiator is recycled, or the command REFRESH SECURITY TYPE(SSL) is issued, to pick up any changes you make to the key ring.
- The IBM® MQ Channel Initiator procedure has access to the system SSL runtime library pdsname.SIEALNKE through the link list, LPA, or a STEPLIB DD statement. This library must be APF-authorized.
- The user ID under whose authority the channel initiator is running is configured to use z/OS UNIX System Services (z/OS UNIX), as described in the z/OS UNIX System Services Planning
documentation.
Users who do not want the channel initiator to invoke z/OS UNIX using the guest/default UID and OMVS segment, need only model a new OMVS segment based on the default segment as the channel initiator requires no special permissions, and does not run within UNIX as a superuser.
See Giving the channel initiator the correct access rights on z/OS for some example commands.