Than you for the interest in my problem and sorry about the mess, let me try to explain:
The problem that I initially had was to access other user's key ring from HTTP/HTTPS enabler program I wrote:
Maybe I bumped with some of those strange problems caused by the combination of various elements such "z/OS 3.1 running on z/VM 7.4 with RDATALIB class inactive after a black cat passed chasing a mouse..." :p
Original Message:
Sent: Fri October 10, 2025 01:12 AM
From: Morag Hughson
Subject: RACF: PERMIT IRR.DIGTCERT.LIST & IRR.DIGTCERT.LISTRING to user seems not working
Hi Sergio,
Actually I was asking which RACDCERT command you were issuing. However, it sounds like maybe you were not issuing a RACDCERT command and instead the problem was with the gsk_environment_init call.
I am also slightly confused because at first you told us you have:-
PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(TEST) ACCESS(READ)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(TEST) ACCESS(UPDATE)
which didn't work, and now you told us you have:-
PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(TEST) ACCESS(CONTROL)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(TEST) ACCESS(CONTROL)
which does work.
Like you, I would expect this:-
PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(TEST) ACCESS(UPDATE)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(TEST) ACCESS(UPDATE)
to be what you need, and I am unsure if you have actually tried that combination. From your descriptions in your posts it would seem not, but there is a little uncertainty on my part.
You say that with the ACCESS(CONTROL) permission you are able now to list the keyring and list the certificates in the keyring. Would this be the keyring named "CICSTS61.Server" that you show in the last piece of output. However, you say that the gsk_environment_init run with the same user ID fails with RC 202. I assume you have double checked that the reason for the RC 202 is not something simpler like the keyring name is incorrect. If you showed the command you had been successful in issuing, this would be clear, but we should check all possibilities at this point, just in case. In would expect authorization access failures to be RC 416 [GSK_ERR_PERMISSION_DENIED], RC 202 [GSK_KEYRING_OPEN_ERROR] suggests something simpler.
Cheers,
Morag
------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com
Original Message:
Sent: Thu October 09, 2025 01:51 PM
From: Sergio Samayoa
Subject: RACF: PERMIT IRR.DIGTCERT.LIST & IRR.DIGTCERT.LISTRING to user seems not working
Hi Morag
Commands:
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(TEST) ACCESS(UPDATE)
SETROPTS GENERIC(FACILITY) REFRESH
PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(TEST) ACCESS(UPDATE)
SETROPTS GENERIC(FACILITY) REFRESH
UPDATE:
I gave CONTROL on both and now the user TEST can list both other users key rings and certificates BUT according to documentation to list other user's key rings you need UPDATE on IRR.DIGTCERT.LISTRING.
The real problem is that I'm using "HTTP/HTTPS enabler" combined with AT-TLS and even with that access level I got permission error:
STC07137 00000090 EZD1287I TTLS Error RC: 202 Environment Init 391
391 00000090 LOCAL: **N/A**
391 00000090 REMOTE: **N/A**
391 00000090 JOBNAME: **N/A** RULE: **N/A**
391 00000090 USERID: TEST GRPID: 0000000A ENVID: 0000000A CONNID: 00000000
STC07137 00000090 EZD1287I TTLS Error RC: 5006 Initial Handshake 392
392 00000090 LOCAL: 204.90.115.161..1132
392 00000090 REMOTE: 18.196.203.159..443
392 00000090 JOBNAME: OLREVT2R RULE: HTTPS
392 00000090 USERID: TEST GRPID: 0000000A ENVID: 0000000A CONNID: 000043BF
STC07137 00000090 BPXF024I (TCPIP) Oct 9 17:43:55 TTLS 67175105 : 12:43:55 TCPIP 393
393 00000090 EZD1284I TTLS Flow GRPID: 0000000A ENVID: 0000000A CONNID: 000043BF
393 00000090 RC: 202 Call GSK_ENVIRONMENT_INIT - 00000050116009A0
STC07137 00000090 BPXF024I (TCPIP) Oct 9 17:43:55 TTLS 67175105 : 12:43:55 TCPIP 394
394 00000090 EZD1283I TTLS Event GRPID: 0000000A ENVID: 0000000A CONNID: 00000000
394 00000090 RC: 202 Environment Init 0000000000000000
STC07137 00000090 BPXF024I (TCPIP) Oct 9 17:43:55 TTLS 67175105 : 12:43:55 TCPIP 395
395 00000090 EZD1282I TTLS Start GRPID: 0000000A ENVID: 0000000A CONNID: 000043BF
395 00000090 Initial Handshake ACTIONS: GrpActOn HTTPS-GrpEnvAct **N/A** HS-Client
395 00000090
From https://www.ibm.com/docs/en/zos/2.5.0?topic=tls-return-codes
202 Environment Init
The key ring cannot be opened because the user does not have permission. Check the following items:
Look at message EZD1281 to verify the user ID being used for this connection and the TTLSEnvironmentAction statement that is mapped to this connection. If you are configuring by using the IBM Configuration Assistant for z/OS® Communications Server, you can specify the key ring on either the AT-TLS: Image Level Settings panel or on each Traffic Descriptor.
Ensure that the correct key ring is specified.
FWIW RDATALIB class is NOT active:
ACTIVE CLASSES = DATASET USER GROUP ACCTNUM ACICSPCT AIMS APPL BCICSPCT
CBIND CCICSCMD CIMS CONSOLE CSFKEYS CSFSERV DASDVOL DCICSDC
DIGTCERT DIGTCRIT DIGTNMAP DIGTRING DIMS DSNR ECICSDCT
EJBROLE FACILITY FCICSFCT FIELD GCICSTRN GCSFKEYS GDASDVOL
GEJBROLE GIMS GSDSF GXCSFKEY GXFACILI GZMFAPLA HCICSFCT
JCICSJCT JESSPOOL KCICSJCT MCICSPPT NCICSPPT OPERCMDS
PCICSPSB PERFGRP PTKTDATA PTKTVAL QCICSPSB RCICSRES RIMS
SCICSTST SDSF SERVAUTH SERVER STARTED SURROGAT TCICSTRN
TIMS TSOAUTH TSOPROC UCICSTST UNIXPRIV VCICSCMD WBEM
WCICSRES XCSFKEY XFACILIT ZMFAPLA ZMFCLOUD ZOWE
The rule is quite simple:
TTLSRule HTTPS{ RemotePortRange 443 Direction Outbound TTLSGroupActionRef GrpActOn TTLSEnvironmentActionRef HTTPS-GrpEnvAct}TTLSEnvironmentAction HTTPS-GrpEnvAct{ HandshakeRole Client EnvironmentUserInstance 0 TTLSKeyringParms { # As today 2025-10-07, # such keyring already contains Amazon & Google # root and intermediate certs Keyring CICSTS61.Server } # Trace 2 Trace 61}
Any other idea?
TIA
------------------------------
Sergio Samayoa
Original Message:
Sent: Thu October 09, 2025 02:48 AM
From: Morag Hughson
Subject: RACF: PERMIT IRR.DIGTCERT.LIST & IRR.DIGTCERT.LISTRING to user seems not working
Can you show the actual RACDCERT command you are trying (and failing) to issue. Also tell us about the keyring that you specify in the command, does it belong to user ID(TEST) or another user?
It seems an odd mixture that you have granted permission to ID(TEST) to list any keyring, but only list your own certificate.
Cheers,
Morag
------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com
Original Message:
Sent: Mon September 29, 2025 11:21 AM
From: Sergio Samayoa
Subject: RACF: PERMIT IRR.DIGTCERT.LIST & IRR.DIGTCERT.LISTRING to user seems not working
Scenario:
- IRR.RACDCERT.GRANULAR not defined
- IRR.DIGTCERT.LIST with UACC(NONE) in place
- IRR.DIGTCERT.LISTTRING with UACC(NONE) in place
- PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(TEST) ACCESS(READ) issued
Can be confirmed with:
RLIST FACILITY (IRR.DIGTCERT.LIST) AUTHUSER - PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(TEST) ACCESS(UPDATE) issued
Can be confirmed with:
RLIST FACILITY (IRR.DIGTCERT.LISTRING) AUTHUSER
Logging as TEST user and issue RACDCERT LISTRING returns "You are not authorized to issue the RACDCERT command."
Do I'm missing something?
------------------------------
Sergio Samayoa
------------------------------