Re: Help configuring GDKUTIL on system with no crypto processor

Fri, 20 Feb 2026 10:33:20 -0800 

Thank  you Andrew for the reply...

I've gotten past the error with the "allow-no-CEX" configuration...I think the 
issue was that even though the "config.json" file was EBCDIC, it had a file tag 
saying it was ASCII. I deleted and recreated the file from scratch and it seems 
to honor the "allow-no-CEX" setting now. 

What I'm currently stuck on is how to transform the credentials I get from a 
Google service account JSON file to whatever GDKUTIL CREDENTIALS(ADD) requires. 
My service account JSON file (*service.account.json") is a straight download 
from Google's IAM service, and it looks like this:

{
  "type": "service_account",
  "project_id": "xxxxx",
  "private_key_id": "xxxxx",
  "private_key": "-----BEGIN PRIVATE KEY----/nMIIEvgIBADANB...\n-----END 
PRIVATE KEY-----\n",
  "client_email": "xxxxx",
  "client_id": "xxxxx",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth";,
  "token_uri": "https://oauth2.googleapis.com/token";,
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs";,
  "client_x509_cert_url": 
"https://www.googleapis.com/robot/v1/metadata/x509/...";,
  "universe_domain": "googleapis.com"
} 

If I run GDKUTIL CREDENTIALS(ADD) with //CREDSNAM pointing to the file above, I 
get an entry in the gskkeyf.json file for the user/provider, but no actual 
credentials.  In the example you provided in the doc, the GDKUTIL input just 
shows a filename, but not the contents of the file or how it was derived from 
the Google service account credentials. I wrote a simple  GDKKEYAD program in 
hopes of maybe getting some more granular debugging information, but I don't 
see anything that tells me what you're looking for in the Google service 
account JSON file. 

By comparison, I have AWS working, and what I see in the S3 entry within the 
gskkeyf.json file has what looks like an encrypted "key" and "secretKey". I 
have nothing like this for my GCP credentials after running GDKUTIL. It seems 
to suggest that you parsed the Google JSON file, didn't find what you're 
looking for, then stored an "empty" set of credentials. 

If it's any help, I'm on z/OS 3.1 and GDKUTIL is at UJ97023. 

Thanks again for your help - happy to try anything you can suggest.

Vince

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN

Reply via email to