The SSL started task (GSKSRVR) provides sysplex session cache support, dynamic trace support, and notification when changing from hardware to software cryptography. The SSL started task is an optional component of System SSL and does not need to be configured and started in order to use System SSL.
================================================ The default home directory for the SSL started task is /etc/gskssl/server. A different home directory can be specified by changing the definition of the HOME environment variable in the GSKSRVR procedure. The SSL started task reads the envar file in the home directory to set the environment variables. This file is a variable-length file where each line consists of a variable name and variable value separated by '='. Trailing blanks are removed from the variable value. Blanks lines and lines beginning with '#' are ignored. 1.Create the home directory for the SSL started task (the default is /etc/gskssl/server) 2.Copy the sample envar file (gsksrvr.envar) from /usr/lpp/gskssl/examples/ to /etc/gskssl/server/ with a new file name of "envar". By default, the full path is /etc/gskssl/server/envar (change the directory name to match the home directory created). Modify the LANG, TZ, and NLSPATH values to meet local installation requirements. 3.Copy the sample started procedure from GSK.SGSKSAMP(GSKSRVR) to SYS1.PROCLIB(GSKSRVR) Note: The sample started task procedure routes informational messages, such as GSK01001I, to standard out, while error messages, such as GSK01015E are routed to standard error. If you want to route informational and error messages to the same place in the job log, change:// / 1>DD:STDOUT 2>DD:STDERR') to// / >DD:STDOUT 2>&1') 4.Create the GSKSRVR user and associate it with the GSKSRVR started procedure. Replace 'nnnnnn' in the ADDUSER command with a non-zero value which is not assigned to another user. ADDUSER GSKSRVR DFLTGRP(SYS1) NOPASSWORD OMVS(UID(nnnnnn) PROGRAM(/bin/sh) HOME(/etc/gskssl/server)) RDEFINE STARTED GSKSRVR.** STDATA(USER(GSKSRVR) GROUP(SYS1) TRUSTED) SETROPTS RACLIST(STARTED) REFRESH 5.Ensure that the pdsename.SIEALNKE and CEE.SCEERUN data sets are APF-authorized and are either in the link list concatenation or are specified as a STEPLIB for the GSKSRVR procedure. 6.Optionally, set up a message processing exit to automatically start the GSKSRVR started task. The GSK.SGSKSAMP(GSKMSGXT) program is a sample message processing exit for this purpose. To activate the exit, add this to the appropriate MPFLSTxx member in SYS1.PARMLIB. BPXI004I,SUP(NO),USEREXIT(STARTSSL) This starts GSKSRVR when OMVS initialization is complete, assuming the GSKMSGXT program was linked as STARTSSL and placed in a LNKLST data set. 7.Optionally, set up an automatic restart management (ARM) policy for the GSKSRVR started task if the default ARM policy values are not appropriate. The element type is SYSSSL and should be assigned to restart level 2. The element name is GSKSRVR_sysname. For example, the element name for the GSKSRVR started task on system DCESEC4 would be GSKSRVR_DCESEC4. Since the normal operating mode is to run the GSKSRVR started task on each system in the sysplex, the GSKSRVR started task registers with ARM to be restarted only if the started task fails and not if the current system fails. The TERMTYPE parameter of the ARM policy can be used to override this registration if you want. 8.If access to the ICSF callable services are protected with CSFSERV class profiles on your system, the GSKSRVR user ID might need to be given READ authority to call the ICSF CSFIQA and CSFPPRF callable services. These services are protected by the CSFIQA and CSFRNG profiles. If these callable services are protected with a generic CSF* profile in the CSFSERV class, access can be granted by entering:PERMIT CSF* CLASS(CSFSERV) ID(GSKSRVR) ACCESS(READ) SETROPTS RACLIST(CSFSERV) REFRESH -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Smith III, Phil (HPE Data Security (Voltage)) Sent: Tuesday, August 22, 2017 2:26 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: GSKSRVR trace Well, color me stumped yet again. I have no GSKSRVR member in any PROCLIB! What am I missing? (Yes, I know, "a GSKSRVR member"...) From: Smith III, Phil (HPE Data Security (Voltage)) Sent: Saturday, August 19, 2017 5:17 PM To: ibm-m...@bama.ua.edu Subject: RE: GSKSRVR trace Mike Schmutzok wrote: >I think you have to start the GSKSRVR first before starting the GSK writer. We >had to do an SSL trace per IBM's request and the following was the process >they gave to us. Note, this was for a CICS trace so your reply may be >different. <snip> Well, that would certainly make sense, will try it! Thanks. Assuming it's the answer, I guess my next question is, "What is GSKSRVR?" It sounds like it's the System SSL process, but System SSL works without it, so that can't be right! ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
