ESMPROC failing after IPL with CC=100. ZosCertificateService
Article ID: 128385
Updated On:
Products
CA CIS
CA Common Services for z/OS
CA 90s Services
CA Database Management Solutions for DB2 for z/OS
CA Common Product Services Component
CA Common Services
CA Datacom/AD
CA ecoMeter Server Component FOC
CA Easytrieve Report Generator for Common Services
CA Infocai Maintenance
CA IPC
Unicenter CA-JCLCheck Common Component
CA Mainframe VM Product Manager
CA Chorus Software Manager
CA On Demand Portal
CA Service Desk Manager - Unified Self Service
CA PAM Client for Linux for zSeries
CA Mainframe Connector for Linux on System z
CA Graphical Management Interface
CA Web Administrator for Top Secret
CA CA- Xpertware
CA Compress Data Compression for MVS
CA Compress Data Compression for Fujitsu
Issue/Introduction
ESMPROC is failing with a CC=100 due to keyring alias issues. In Java logs for ESMSERV can see lines like the following during startup:
Further information can be added to the logs if the SSL HANDSHAKE debugging option is turned on in &CAI..CAW0OPTV(ESMENV)
# Enable SSL debugging in the ESm Microservice
# Uncomment only as directed by Support
# Warning: This will generate a lot of output into the log
IJO="$IJO -Djavax.net.debug=ssl:handshake:verbose" <--- uncomment this line
12:46:50.346 [main] DEBUG com.ca.esm.services.ZosCertificateService - loadServerKeyPair() - Key Alias: ESMALIAS
12:46:50.346 [main] ERROR com.ca.esm.services.ZosCertificateService - loadServerKeyPair() - Problem Reading Certificate from Key
ring. Make sure you supplied the Key Alias with the right value! {}
Further information can be added to the logs if the SSL HANDSHAKE debugging option is turned on in &CAI..CAW0OPTV(ESMENV)
# Enable SSL debugging in the ESm Microservice
# Uncomment only as directed by Support
# Warning: This will generate a lot of output into the log
IJO="$IJO -Djavax.net.debug=ssl:handshake:verbose" <--- uncomment this line
Cause
ESMENV file is not using the proper ALIAS name for the keyring attached to the proc that houses the certificates. CA ACF2 cannot find the proper keyring with the certificates for the ESMSERV proc by this alias name.
Environment
CA ACF2
Resolution
For the ALIAS value in &CAI..CAW0OPTV(ESMENV), specify the LABEL value of the server certificate used in the GENCERT command. If no LABEL is provided on the GENCERT command, ACF2 defaults to the record ID used in the GENCERT command.
For example, the GENCERT might be:
GENCERT ESMSERV.ESMSERVR SIGNWITH(CERTAUTH LABEL(CERTAUTH.ESMMICRO)) -
SUBJ(CN='hostname.company.com' OU='Business Unit' -
O='Company Inc.' L='City' ST=\ST -
EMAIL='[email protected]') -
EXPIRE(8/13/21) LABEL(ESMSERV.ESMSERVR)
So, in this case, the alias is "ESMSERV.ESMSERVR" due to the LABEL.
Update the ESMENV member as follows:
Change => IJO="$IJO -Dserver.ssl.key-alias=\"ESMALIAS\""
To => IJO="$IJO -Dserver.ssl.key-alias=\"ESMSERV.ESMALIAS\""
For example, the GENCERT might be:
GENCERT ESMSERV.ESMSERVR SIGNWITH(CERTAUTH LABEL(CERTAUTH.ESMMICRO)) -
SUBJ(CN='hostname.company.com' OU='Business Unit' -
O='Company Inc.' L='City' ST=\ST -
EMAIL='[email protected]') -
EXPIRE(8/13/21) LABEL(ESMSERV.ESMSERVR)
So, in this case, the alias is "ESMSERV.ESMSERVR" due to the LABEL.
Update the ESMENV member as follows:
Change => IJO="$IJO -Dserver.ssl.key-alias=\"ESMALIAS\""
To => IJO="$IJO -Dserver.ssl.key-alias=\"ESMSERV.ESMALIAS\""
Feedback
Powered by
