How do I define the keyrings and certificates to CICS? During CICS startup I got error messages DFHXS1218 and DFHPA1909

Document ID : KB000014526
Last Modified Date : 19/04/2018
Show Technical Document Details
Question:

When I setup the CICS region to use SSL processing, I used the KEYRING= DFHSIT parameter.
The CICS region failed to start and the following messages were received
 

DFHXS1218 sysid THE CICS REGION USERID userid IS NOT AUTHORIZED TO ACCESS KEYRING ringname
DFHPA1909 sysid DATA ringname IS INVALID for KEYRING=.                 RESPECIFY KEYWORD AND DATA 

How do I resolve this problem?

Answer:

The parameter KEYRING points to a RINGNAME that is owned by the CICS region Logonid.


For example..

If the cics region runs under logonid CICS001  and you specified KEYRING=cicsring
the keyring that CICS would look for at initialization would be any keyring that has a record key of 
CICS001.xxxxx . and would look for any keyring with a ringname of cics.ring
 

KEYRING / CICS001.RING1 LAST CHANGED BY xxxxxxx ON 05/08/17-10:57 
DEFAULT(CICS001.CERT) RINGNAME(cicsring) 
The following certificates are connected to this key ring: 
CERTDATA   record             Label                                Usage
-----------------                         -------------------------------- --------

CERTAUTH.CHAIN CERTAUTH.CHAIN  CERTAUTH 
CERTAUTH.ISSUE  CERTAUTH.ISSUE  CERTAUTH
CERTAUTH.ROOT  CERTAUTH.ROOT   CERTAUTH
CICS001.CERT     CICS001.CERT      PERSONAL

 

This KEYRING would be selected.
But will only be accepted if the owner also has read access to an RDATALIB resource
owner.ringname.LST  (in this example the resource would be CICS001.cicsring.LST)

An example Rule....

$KEY(CICS001) TYPE(RDA)
cicsring.LST UID(CICS001) SERVICE(READ) ALLOW

If the region logonid doesn't have access to the resource, the above messages will be issued.