Additional user ID requirements for TLS on z/OS

This information describes the additional requirements your user ID needs to set up and work with TLS on z/OS®.

Ensure that we have all the appropriate High Impact or Pervasive (HIPER) updates on your system.

Ensure that we have set up the following prerequisites:

  • The ssidCHIN user ID is defined correctly in RACF®, and that the ssidCHIN user ID has READ access to the following profiles:

    • IRR.DIGTCERT.LIST
    • IRR.DIGTCERT.LISTRING
    These variables are defined in the RACF FACILITY Class.
  • The ssidCHIN user ID is the owner of the key ring.
  • The personal certificate of the queue manager, if created by the RACDCERT command, is created with a certificate type user ID that is also the same as the ssidCHIN user ID.
  • The channel initiator is recycled, or the command REFRESH SECURITY TYPE(SSL) is issued, to pick up any changes you make to the key ring.
  • The IBM MQ Channel Initiator procedure has access to the system SSL runtime library pdsname.SIEALNKE through the link list, LPA, or a STEPLIB DD statement. This library must be APF-authorized.
  • The user ID under whose authority the channel initiator is running is configured to use UNIX System Services (USS), as described in the z/OS UNIX System Services Planning documentation.

    Users who do not want the channel initiator to invoke UNIX System Services using the guest/default UID and OMVS segment, need only model a new OMVS segment based on the default segment as the channel initiator requires no special permissions, and does not run within UNIX as a superuser.