@Brick, my sympathies. Certificates are a bear, and client certificates are particularly a bear because (a.) they are uncommon and (b.) you have to turn everything around backwards in your head relative to the more common server certificates.
FWIW, I do not think it is a keyring ownership problem but I could be wrong. I would focus on either RACF or gskkyman. They are both capable of doing this. Pick one. gskkyman is often simpler and easier but your corporate security folks might be happier with RACF. May I clarify? You are trying to connect to JP Morgan. You are the client and they are the server. They have a requirement for client certificates. Do I have that right? Have they told you exactly what certificate they expect? Not just "not self-signed" but rather "it must be a ______ (something) certificate" and most importantly "issued by XXX or YYY" (say, Verisign or Comodo)? IIRC the protocol correctly there is a provision for the server to specify what certificate (by name? I have forgotten) it wants. Did they tell you anything like that? Not looking at your problem but starting from scratch, what you will need is 1. A certificate that meets their standards, in a gskkyman database or on a RACF keyring, TRUSTed, usage PERSONAL. 2. I believe that to accomplish that you will need to first install that certificate's root and intermediates. You should put them on the keyring, TRUSTed, usage CERTAUTH. You need the Intermediate(s) for sure because SystemSSL will have to send them with the client certificate. What error are they seeing on their end? Have you tried a GSK trace of your application? Let me know if you could use a "GSK trace cheat sheet." Good luck! Charles On Tue, 26 Aug 2025 18:27:06 +0000, Jones, Brick T <[email protected]> wrote: >Hi folks, > First time poster; thanks for your forbearance, and for your input if > possible. > > We are on z/OS 2.5 and I am trying to add PAGENT/TTLS configurations to > support outbound/Client TLS(https) calls requiring Client Authentication > (MutualTLS/MTLS/two-way SSL). We successfully support similar calls in > PAGENT with things like a pki database holding trusted CA certs, and > SNI-required configs for sites using cloudflare, etc., but have not had this > requirement for client authentication before. > > The error we are stuck on is: >EZD1284I TTLS Flow GRPID: 00000027 ENVID: 000041B0 CONNID: 0301E51B RC: 7 >Call GSK_SECURE_SOCKET_INIT - 0000005030853750 >EZD1283I TTLS Event GRPID: 00000027 ENVID: 000041B0 CONNID: 0301E51B RC: 7 >Initial Handshake 0000000000000000 00000050308B6800 0000000000000000 >EZD1286I TTLS Error GRPID: 00000027 ENVID: 000041B0 CONNID: 0301E51B LOCAL: >128.83.216.11..46868 REMOTE: 146.143.6.65..443 JOBNAME: ABUTBTJ USERID: DPBTJ >RULE: ConnRuleJPMorganUAT RC: 7 Initial Handshake 0000000000000000 >00000050308B6800 0000000000000000 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
