When using digital certificates with Connect Direct, a missing root certificate condition is occurring when establishing an SSL Connect Direct. IBM reviewed an SSLTRACE and came back with the following:

Server sent a chain of 3 certs, example.com which was signed by Intermediate cert root1 which was signed by Root cert root2. The issue is an Alert 42 which is occurring because the Root certificate is not in the keyring ‘cdring label’ so we can't authenticate the certificates sent by the server.

The root cert from third party vendor, root2, is not loaded in your Key ring ‘cdring label’.

Work with your Security person to ensure the Root certificate is loaded and try the process again.

Need to add the missing root certificates to Connect Direct's started task acids keyring. For example:

TSS ADD(cdstc) KEYRING(cdring) RINGDATA(CERTAUTH,root1) USAGE(CERTAUTH)
TSS ADD(cdstc) KEYRING(cdring) RINGDATA(CERTAUTH,root2) USAGE(CERTAUTH)

Where:
‘cdstc’ is the Connect Direct Started Task ACID
‘cdring’ is the keyring with label ‘cdring label’
‘root1’ is the intermediate certificate with label ‘root1’ from the error above
‘root2’ is the second root certificate with label ‘root2’ from the error above