No private key when trying to establish an SSL connection with AT-TLS
search cancel

No private key when trying to establish an SSL connection with AT-TLS

book

Article ID: 187427

calendar_today

Updated On:

Products

Top Secret Top Secret - LDAP WEB ADMINISTRATOR FOR TOP SECRET

Issue/Introduction

OpenSSL (on the client side) is returning the following error:

error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

 

And AT-TLS (on the server side) is returning this error:

Mar 20 21:50:15 USI29CME TTLS[50331670]: 17:50:15 TCPIPTLS EZD1284I TTLS Flow  GRPID: 00000002 ENVID: 0000000B CONNID: 00000C7C  RC:  428 Call GSK_SECURE_SOCKET_INIT - 00000050167227F0

Mar 20 21:50:15 USI29CME TTLS[50331670]: 17:50:15 TCPIPTLS EZD1283I TTLS Event GRPID: 00000002 ENVID: 0000000B CONNID: 00000C7C  RC:  428 Initial Handshake 0000000000000000 0000005016721C10 0000000000000000   

Listing of the keyrings:

KEYRING =  SRVRING         ACCESSORID = USERA                            

    ADMIN BY= BY(MASTER  )    SMFID(SYSA)   ON(03/24/2020)  AT(10:07:37)     
 KEYRING LABEL = SRVRING                                                    
 KEYRING HAS THE FOLLOWING CERTIFICATES CONNECTED:                           
   ACID(CERTAUTH)  DIGICERT(CLIAUTH)  DEFAULT(NO )  USAGE(PERSONAL)         
   LABLCERT(CLIAUTH                        )                                
   ACID(CERTSITE)  DIGICERT(CLICERT)  DEFAULT(NO )  USAGE(PERSONAL)         
   LABLCERT(CLICERT                        )                                
   ACID(CERTAUTH)  DIGICERT(SRVAUTH)  DEFAULT(NO )  USAGE(PERSONAL)         
   LABLCERT(SRVAUTH                        )                                
   ACID(CERTSITE)  DIGICERT(SRVCERT)  DEFAULT(YES)  USAGE(CERTSITE)         
   LABLCERT(SRVCERT                        )    

  

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

RC 428 indicates that the "Key entry does not contain a private key."                             

Certificates with an owner of CERTSITE should have a USAGE(PERSONAL) and USAGE(CERTAUTH) for certificates owned by CERTAUTH.

Example:

KEYRING =  SRVRING         ACCESSORID = USERA                        
   ADMIN BY= BY(MASTER  )    SMFID(SYSA)   ON(03/26/2020)  AT(17:06:53)  
KEYRING LABEL = SRVRING                                                 
KEYRING HAS THE FOLLOWING CERTIFICATES CONNECTED:                        
  ACID(CERTAUTH)  DIGICERT(CLIAUTH)  DEFAULT(NO )  USAGE(CERTAUTH)      
  LABLCERT(CLIAUTH                        )                             
  ACID(CERTSITE)  DIGICERT(CLICERT)  DEFAULT(NO )  USAGE(PERSONAL)      
  LABLCERT(CLICERT                        )                             
  ACID(CERTAUTH)  DIGICERT(SRVAUTH)  DEFAULT(NO )  USAGE(CERTAUTH)      
  LABLCERT(SRVAUTH                        )                             
  ACID(CERTSITE)  DIGICERT(SRVCERT)  DEFAULT(YES)  USAGE(PERSONAL)      
  LABLCERT(SRVCERT                        )                             
TSS0300I  LIST     FUNCTION SUCCESSFUL                                   
READY                                                                    
END