Before using RACF to store your key database information, ensure that:
the digital certificate and digital key ring (DIGTCERT and DIGTRING) classes are active before defining certificates or key rings to RACF. For example:
SETROPTS CLASSACT(DIGTCERT DIGTRING)
a refresh is performed after each update or change. For example:
SETROPTS RACLIST (DIGTRING DIGTCERT) REFRESH
the RACDCERT command is defined as an authorized TSO command in the IKJTSOxx member.
To issue the RACDCERT command, you must have access to the FACILITY class IRR.DIGTCERT.function with UPDATE or CONTROL access.
If the DCAS server is started as an MVS started procedure, you must permit the RACF user ID to IRR.DIGTCERT.LIST.
If the DCAS server is started from a TSO user ID under the OS/390 UNIX shell, you must also permit that ID. For example:
DEFINE FACILITY (IRR.DIGTCERT.function)
UACC(NONE)
PERMIT IRR.DIGTCERT.LIST
CLASS(FACILITY) ID(dcasid)
ACCESS(control)
where dcasid is the name of the user ID.