How do we assign userids and OMVS profiles to the system level started task IOSAS?

Document ID : KB000035695
Last Modified Date : 14/02/2018
Show Technical Document Details

Problem:

We just upgraded to z/OS 2.1.  During the initial IPL, IOSAS would not start, getting error message:

IOS628E ENCRYPTION ON DEVICE 0540 HAS FAILED DUE TO OMVS SEGMENT FAILURE FOR IOSAS.

What do we need to do for IOSAS to get this started.

 

Environment:

z/OS 2.1

 

Cause:

With z/OS 2.1, IBM removed the use of default OMVS profiles for UID and GID.   Since IOSAS now uses OMVS, a profile record is needed.

 

Additional Information:

With z/OS 1.13, IOSAS picked up the default OMVS profile record.  Since IOSAS is a started task that starts before ACF2, a special ptf is needed on ACF2 r15, RO68280.  If you have already removed the defaults on z/OS 1.13, you will need to define the logonid and OMVS profile record, and also apply RO68280.  This is not supported pre-release 15, and no special maintenance is needed post-release 15. 

A logonid record and an OMVS profile record will be needed.   Per IBM document OA23893, the following is needed:

>Add an OMVS segment for IOSAS (IOS address space). OMVS segment is for TCP/IP connectivity only and UID(0) or superuser ability is not required.

>In CA-ACF2 Security for z/OS authorization, issue:

    " TSO ACF
       INSERT IOSAS NAME(IOSAS ID) UID(xxxx) HOME(/)"

>IBM recommends (as per your security product) that IOSAS be setup as a TRUSTED address space in order for IOSAS to automatically set IOSBLKS=31.

 

Resolution:

Insert a logonid for IOSAS:

TSO ACF

SET LID

INSERT IOSAS NAME(IOSAS ID) STC NON-CNCL HOME(/) UID(xxxx)

Per IBM, superuser is not needed.  Pick a valid UID for your site.  NON-CNCL is the RACF equivalent of "TRUSTED".