Racf only: your userid DPBTJ is not the owner of the Keyring. El mar, 26 ago 2025, 20:27, Jones, Brick T <[email protected]> escribió:
> Hi folks, > First time poster; thanks for your forbearance, and for your input if > possible. > > We are on z/OS 2.5 and I am trying to add PAGENT/TTLS configurations to > support outbound/Client TLS(https) calls requiring Client Authentication > (MutualTLS/MTLS/two-way SSL). We successfully support similar calls in > PAGENT with things like a pki database holding trusted CA certs, and > SNI-required configs for sites using cloudflare, etc., but have not had > this requirement for client authentication before. > > The error we are stuck on is: > EZD1284I TTLS Flow GRPID: 00000027 ENVID: 000041B0 CONNID: 0301E51B RC: > 7 Call GSK_SECURE_SOCKET_INIT - 0000005030853750 > EZD1283I TTLS Event GRPID: 00000027 ENVID: 000041B0 CONNID: 0301E51B RC: > 7 Initial Handshake 0000000000000000 00000050308B6800 0000000000000000 > EZD1286I TTLS Error GRPID: 00000027 ENVID: 000041B0 CONNID: 0301E51B > LOCAL: 128.83.216.11..46868 REMOTE: 146.143.6.65..443 JOBNAME: ABUTBTJ > USERID: DPBTJ RULE: ConnRuleJPMorganUAT RC: 7 Initial Handshake > 0000000000000000 00000050308B6800 0000000000000000 > > RC: 7 = “No certificates available.” > https://www.ibm.com/docs/en/zos/2.5.0?topic=sfrc-1#idg27338 > > I’ll add more details below, but we have configured the keys and > CA-signed crertificates both in RACF and in an omvs key database. Both > methods currently yield the same RC: 7 result. > > We can successfully connect using `openssl` pointing to the relevant key > and cert, but not from the client/PAGENT application. > > Any insight or pointers will be greatly appreciated. Adding some > additional details below. > > Thanks, > Brick Jones > The University of Texas at Austin > > > > The output of “pasearch -t” suggests the rules for ConnRuleJPMorganUAT > should lead to selection of expected certificate, for which we provided the > “Certificate Label” value: > Keyring: /var/pkiserv/jpmorgan/JPMkeys.kdb > > KeyringStashFile: /var/pkiserv/jpmorgan/JPMkeys.sth > > CertificateLabel: FinAppUAT > > When using RACF: > > CertificateLabel FinAppCertUAT > > Keyring DPDBA/AUTRNG > > > gskkyman tool shows: > > Key and Certificate List > > > Database: /SYSTEM/var/pkiserv/jpmorgan/JPMkeys.kdb > > > > 1 - FinAppUAT > > > and > > Certificate Information > > > Label: FinAppUAT > > Record ID: 14 > > Issuer Record ID: 13 > > Trusted: Yes > > > > The key database also has the CA and intermediate certs for both the > remote partner and the for the client certificate. Per JPMorgan > requirements, it is not a self-signed certificate. > > Certificate List > > > Database: /SYSTEM/var/pkiserv/jpmorgan/JPMkeys.kdb > > > > 1 - DigiCertGlobalRootG2 > > 2 - AAA Certificate Services > > 3 - USERTrust RSA CA > > 4 - InCommon RSA Server CA 2 > > 5 - DigiCert EV RSA CA G2 > > 6 - JPM Transport UAT > > > RACF: > > >AUTRNG< > > Certificate Label Name Cert Owner USAGE DEFAULT > > -------------------------------- ------------ -------- ------- > > AAA Certificate Services Root CERTAUTH CERTAUTH NO > > LABEL00000002 CERTAUTH CERTAUTH NO > > LABEL00000001 CERTAUTH CERTAUTH NO > > FinAppCertUAT ID(DPDBA) PERSONAL YES > > DigiCert Global Root G2 CERTAUTH CERTAUTH NO > > DigiCert Intermediate Root G2 CERTAUTH CERTAUTH NO > > JPMorganCertUAT ID(DPDBA) PERSONAL NO > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
