Additional user ID requirements for TLS on z/OS
This information describes the additional requirements your user ID needs to set up and work with TLS on z/OS .
Ensure that we have all the appropriate High Impact or Pervasive (HIPER) updates on the system.
Ensure that we have set up the following prerequisites:- The ssidCHIN user ID is defined correctly in RACF, and that the ssidCHIN user ID has READ access to the following profiles:
- IRR.DIGTCERT.LIST
- IRR.DIGTCERT.LISTRING
These variables are defined in the RACF FACILITY Class.
- The ssidCHIN user ID is the owner of the key ring.
- The personal certificate of the queue manager, if created by the RACDCERT command, is created with a certificate type user ID that is also the same as the ssidCHIN user ID.
- The channel initiator is recycled, or the command REFRESH SECURITY TYPE(SSL) is issued, to pick up any changes you make to the key ring.
- The IBM MQ Channel Initiator procedure has access to the system SSL runtime library pdsname.SIEALNKE through the link list, LPA, or a STEPLIB DD statement. This library must be APF-authorized.
- The user ID under whose authority the channel initiator is running is configured to use UNIX System Services (USS), as described in the z/OS
UNIX System Services Planning documentation.
Users who do not want the channel initiator to invoke UNIX System Services using the guest/default UID and OMVS segment, need only model a new OMVS segment based on the default segment as the channel initiator requires no special permissions, and does not run within UNIX as a superuser.
Parent topic: Work with SSL/TLS on z/OS