Thank you both Wendell and Mike. I am following your recommendations for debugging.
On Wed, Sep 30, 2020 at 9:17 AM Wendell Lovewell < 000001e9c0ee0673-dmarc-requ...@listserv.ua.edu> wrote: > Hello Roberto. > > In RACF-land, I'd look for an ICH message on the console to make sure you > don't need to PERMIT the client or the server access to the keyring. I've > found the gsk trace file to be very helpful--if the security manager > doesn't tell you via a console message. Telling PAGENT about the security > change might also be needed on the side that's failing. > > Here is a section of some documentation I wrote up for debugging such > errors for one of our products: > > ----------------------------------------------------------------------------------------------------------------- > (One of the examples:) > EZD1287I TTLS Error RC: 406 Initial Handshake 477 > LOCAL: 172.29.127.60..1173 > REMOTE: 172.29.127.60..5401 > JOBNAME: MBXWL RULE: MBX_STC_Rule > > The RC values are most helpful. Since there is a policy used for both > inbound (MBX_CICS_Rule) and outbound (MBX_STC_Rule—note the rules in play > are also displayed on the console), there will likely be two EZD1287I > messages displayed if there is a problem. (Both sides will experience a > problem.) You can find an explanation for these in the SC14-7495-30 > Cryptographic Services System Secure Sockets Layer Programming manual, > currently in chapter 13. > > SC27-3651-30 IP Configuration Reference contains the syntax for the AT-TLS > policy (/etc/pagent_TTLS.conf). > > GC27-3652-30 IP Diagnosis Guide may be useful if you are getting GSK > errors. > > SA23-2292-30 Security Server RACF Command Language Reference contains the > syntax for the RACDCERT instructions. > > If you need to see the GKY messages, set the Trace value in the > TTLSGroupAction parms for both the MBX_CICS_Rule and MBX_STC_Rule to Trace > 255. When you upload /etc/pagent_TTLS.conf, the policy agent will > re-install the policy. > > If you make RACF changes to the keyrings, you need to tell the policy > agent to refresh it’s settings for them. You can do this by changing the > EnvironmentAction value & reloading the pagent_TTLS.conf file. > > ----------------------------------------------------------------------------------------------------------------- > > HTH, > Wendell > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- Politics: Poli (many) - tics (blood sucking parasites) ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
