We just upgraded to z/OS 2.1. During the initial IPL, IOSAS would not start, getting error message:
IOS628E ENCRYPTION ON DEVICE 0540 HAS FAILED DUE TO OMVS SEGMENT FAILURE FOR IOSAS.
What do we need to do for IOSAS to get this started.
With z/OS 2.1, IBM removed the use of default OMVS profiles for UID and GID. Since IOSAS now uses OMVS, a profile record is needed.
With z/OS 1.13, IOSAS picked up the default OMVS profile record. Since IOSAS is a started task that starts before ACF2, a special ptf is needed on ACF2 r15, RO68280. If you have already removed the defaults on z/OS 1.13, you will need to define the logonid and OMVS profile record, and also apply RO68280. This is not supported pre-release 15, and no special maintenance is needed post-release 15.
A logonid record and an OMVS profile record will be needed. Per IBM document OA23893, the following is needed:
>Add an OMVS segment for IOSAS (IOS address space). OMVS segment is for TCP/IP connectivity only and UID(0) or superuser ability is not required.
>In CA-ACF2 Security for z/OS authorization, issue:
" TSO ACF
INSERT IOSAS NAME(IOSAS ID) UID(xxxx) HOME(/)"
>IBM recommends (as per your security product) that IOSAS be setup as a TRUSTED address space in order for IOSAS to automatically set IOSBLKS=31.
Insert a logonid for IOSAS:
INSERT IOSAS NAME(IOSAS ID) STC NON-CNCL HOME(/) UID(xxxx)
Per IBM, superuser is not needed. Pick a valid UID for your site. NON-CNCL is the RACF equivalent of "TRUSTED".