configuring AT-TLS encrypted connection from the mainframe ( client ) to a Linux server.
The linux server is currently configured to use CIPHERS that have not been used before and they require ICSF access. Rules are in place for all callable services
including CSFPGKP CSFSERV resource CSF1GKP.
a portion of a GSK TRACE is below
xxxx MESSAGE 00000004 18:32:08.470434 SSL_ERROR
Job TCPIP Process 0001030A Thread 00000003 crypto_ec_token_generate_key_pair
ICSF service failure: CSFPGKP retCode = 0x8, rsnCode = 0x3e88
xxxx MESSAGE 00000004 18:32:08.470443 SSL_ERROR
Job TCPIP Process 0001030A Thread 00000003 send_v3_client_messages
Unable to generate ECDH key pair: Error 0x03353084
Release : 16.0
Component : CA ACF2 for z/OS
There is a CRYPTO class validation for resource CLEARKEY.SYSTOK-SESSION-ONLY
that needs to allow access to all users for some SSL callable services.
$KEY(CLEARKEY) TYPE(CRY)
SYSTOK-SESSION-ONLY UID(*) SERVICE(READ) ALLOW
without this rule in place, ACF2 would protect the resource by default and would not allow access - thus causing potential problems as described below.
The following statement is in IBM doc
The CLEARKEY.token-name resource within the CRYPTOZ class controls the ICSF
policy for creating a clear key versus a secure key.
When the resource is defined and set to NONE, System SSL's usage of the PKCS #11
callable services to generate keys is restricted to secure keys only.
This causes functions within System SSL to fail.
System SSL uses both explicit tokens and the SYSTOK-SESSION-ONLY omnipresent token.
The following are examples that can fail in this environment in System SSL:
The gskkyman utility or CMS APIs that create ECC or DH (FIPS mode) keys or certificates.
Ephemeral ECDH and Ephemeral DH key exchanges during a SSL/TLS handshake.