ITEM: H5852L

DCE error - requested key is not available with Encina PPC Gateway




Question:

Customer is trying connect CICS/6000 to CICS on a mainframe.  
They have DCE, SNA, and CICS configured.  When the PPC gateway
is started, it fails with the following error:

DCE-SEC-0067 requested key is not available (ox74182e66):ppcgwy
1F trdce_seclogincontextcreatefailed


Response:

This is caused by either no keytab entry for the DCE principal in the 
keytab file or the password keys being out of sync between the keytab 
file and the registry. 

To correct this problem do the following:

- Login to AIX as root or the AIX user that owns the keytab file 
- dce_login as cell_admin, or a principal that is a member of the group
  "acct-admin".
- List the contents of the keytab file. The default keytab file is 
  /krb5/v5srvtab. If you need to look at a different keytab file, use the 
  "-f /path/keytab_filename" option with any rgy_edit "kt..." command.

  \# rgy_edit
Current site: registry server at /.../dce_cellname/subsys/dce/sec/master
rgy_edit=> ktlist 

  /.../dce_cellname/hosts/encina/self              1
  /.../dce_cellname/hosts/encina/cds-server                1
  /.../dce_cellname/hosts/encina/cds-server                2
  /.../dce_cellname/gwyn           52
  /.../dce_cellname/cics           1
  /.../dce_cellname/guest          1
  /.../dce_cellname/cell_admin             13
  /.../dce_cellname/cell_admin             14
  /.../dce_cellname/gwyn           53
  /.../dce_cellname/gwyn           51

- In this case, the principal that needs to be re-synced with the registry
  is the "gwyn" principal. First, all except for the last version of the 
  "gwyn" keytab entry should be deleted. For "gwyn" the last version is 
  53. So versions 51 and 52 should be deleted.

  rgy_edit=> ktdelete -p gwyn -v 51
  rgy_edit=> ktdelete -p gwyn -v 52

- Set the keytab's key to the same known password in the registry, if you
  don't know it, you will have to first reset the password for the 
  principal's account in the registry. If this needs to be reset, delete
  the last keytab entry for that principal from the keytab file.

  rgy_edit=> ktadd -p gwyn
  Enter password: enter_gwyn_dce_account_password 
  Re-enter password to verify: enter_gwyn_dce_account_password
  rgy_edit=>

- Set the key value to a more secure random key:

  rgy_edit=> ktadd -p gwyn -r -a

- Exit from rgy_edit

  rgy_edit=> quit





Support Line: DCE error - requested key is not available with Encina PPC Gateway ITEM: H5852L

Dated: May 1994 Category: N/A

This HTML file was generated 99/06/24~13:30:47

Comments or suggestions?
Contact us