ACF2 FTP EZA2897I Authentication negotiation failed SAF Keyring not found

book

Article ID: 143744

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC

Issue/Introduction

Currently a FTP transmission to a business partner is now failing with the following messages:

EZA1701I >>> AUTH TLS
234
AUTH TLS successful
EZA2897I Authentication negotiation failed
EZA2898I Unable to successfully negotiate required authentication
EZA1735I Std Return Code = 10234, Error Code = 00017
 
ACF2 OMVS SECTRACE shows R_datalib Function=DataGetFirst RC=8/8:84

Environment

Release : 16.0
Component : CA ACF2 for z/OS

Resolution

FTP TCPIP.TCPPARMS pointed to keyring with just the ringname: Keyring ABCDring but the KEYRING is owned by another userid/logonid. FTP SSL job running under logonid USER001 Keyring is owned by logonid ABCDFTP:

  KEYRING / ABCDFTP.RING LAST CHANGED BY ABCJ0 ON 01/21/20-08:57
                       DEFAULT() RINGNAME(ABCDring)
   The following certificates are connected to this key ring:
   CERTDATA record    Label                             Usage
   -----------------  --------------------------------  --------
   CERTAUTH.DDDDDDCA  DigiCert Secure Server CA         CERTAUTH
   CERTAUTH.CCCCCERT  IBM SMPE Cert Auth                CERTAUTH
   CERTAUTH.ABCDORG   ABCD.ddd.org                      CERTAUTH

When using a key ring owned by another user, specify the ring name as "userid/ringname". 

To correct the problem:

Change TCPIP.TCPPARMS from:

  Keyring NSLCring

To:

  Keyring ABCDFTP/ABCDring