Have you seen -
https://www.ibm.com/docs/en/zos/3.1.0?topic=configuration-system-administrator-quick-start
My /gdk/config.json -
{
"log-level": "ERROR",
"web-toolkit-logging": false,
"allow-no-CEX":true,
"translation": true
}
Roger
On Thu, 19 Feb 2026 08:17:00 -0600, Vince Re <[email protected]>
wrote:
>I have Google service account credentials in a JSON file that I want to
>configure GDKUTIL to work with, but I can't get it configured. This is on z/OS
>3.1 and GDKUTIL is at UJ97023.
>
>Some of the documentation I've read suggests that with "allow-no-CEX": true in
>the configuration file (~/gdk/config.json), this should work, but I don't seem
>able to get it configured properly - I get "Keyfile doesn't have any entries
>specified for the current user" no matter what I try.
>
>So far, I copied the sample from /usr/lpp/dfsms/gdk/providers/GCP.json to
>~/gdk/providers/GCP.json and changed the obviously missing things in it, like
>the region.
>
>In my ~/gdk/config.json, I have "allow-no-CEX": true. In my ~/gdk/gdkkeyf, I
>have a file like this:
>
>{
> "Credentials": [
> {
> "user": "<username>",
> "provider": "GCP",
> "key_data": {
>
> <copy of the service account JSON file from Google>
> }
>
> }
> ]
>}
>
>I tried running GDKAUTHP (EX ‘SYS1.SAXREXEC(GDKAUTHP)’). It shows the "GCP"
>cloud provider (presumably from my GCP.json file), but the Encryption
>Parameters "Provider" option is blank both on the initial and subsequent
>screen. If I try to save the credentials, I get "Specify all parameters
>please!" as an error message.
>
>I also tried GDKUTIL CREDENTIAL(ADD) PROVIDER(GCP), but it gives me this
>error:
>
>GDKU0101E ERROR DURING CREDENTIALS(ADD) REQUEST. GDKRC=117: The GDKKEYAD
>service was unable to generate a symmetric key
>ERROR: encryptKeys: Unable to generate a key. CSNBKGN rc: 12, rsn:0000
>
>
>I get this error even though I have ICSF running, the CKDS/PKDS initialized,
>and the correct (far as I can tell) RACF options to allow me to do this (there
>are no security violations on the console, at least). That RC 12 seems to be
>saying that GDKUTIL tried something not allowed without a crypto card. I think
>I have the PTF for OA67674 installed properly that's supposed to honor
>"allow-no-CEX", but it doesn't seem to be working for me. GDKUTIL doesn't seem
>to honor the "log-level": "DEBUG" tag in the configuration file, so there's
>little added information.
>
>I verified that all my JSON files are syntactically okay by cutting and
>pasting them into an online JSON parser - no obvious syntax errors. I've also
>tried storing the JSON files in both EBCDIC and ASCII with no difference.
>
>In desperation, I wrote a small C program that calls GDKINIT and GDKWRITE; it
>has the same behavior.
>
>Does anyone maybe have a working GCP example you can share, or any hints at
>all about how to diagnose this?
>
>----------------------------------------------------------------------
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
