Re: Just got a "(GSKit) Access to the key database is not allowed." exception.

[Scott Klement <sk@xxxxxxxxxxxxxxxx>]

On 1/17/2012 1:01 PM, James Lampert wrote:
> Would anybody know what would cause a "(GSKit) Access to the key
> database is not allowed." exception to be thrown?

In my experience, it means that the user running the program doesn't 
have access to the key database.

>
> At this point, I don't know where it happened in my code, except that
> the DSPLY statement the job is currently stopped at is in code that was
> cribbed from Example 9.
>

It looks like one of the messages from HTTPAPI.  The operating system 
actually returns the string "Access to the key database is not 
allowed.", and HTTPAPI prepends the (GSKit) so we have a little more 
context.

In order for a TLS/SSL session to established, cryptography needs to be 
done.  In order to do that cryptography, HTTPAPI calls a set of routines 
in the operating system known as the "Global Secure Toolkit" (or, GSKit 
for short.)

The OS routines, by default, store crypto keys in the 
/QIBM/UserData/ICSS/CERT/SERVER directory of the IFS.  The names of the 
objects in that directory are DEFAULT.KDB and DEFAULT.RDB.

If the user doesn't have authority to read those files, then they can't 
load keys and therefore can't do any SSL.

The README member included with HTTPAPI describes this, and describes 
the process of granting authority.

-SK
-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------