Handshake failure Messages seen in Component Trace:
BSYS MESSAGE 00000004 15:42:05.854673 SSL_ERROR
Job TCPIP Process 000002D4 Thread 00000004 gsk_get_local_certificates
Record 'SITECERT.MULESFTB' does not have a private key
BSYS MESSAGE 00000004 15:42:05.854708 SSL_ERROR
Job TCPIP Process 000002D4 Thread 00000004 send_v3_server_messages
Unable to obtain server certificates: Error 428
Commands were issued to validate the certificate data and showed that SITECERT.MULESFTB did in fact have a private key:
SET PROFILE(USER) DIV(CERTDATA)
CHK SITECERT.MULESFTB CHAIN
These messages will be seen when access to facility IRR.DIGTCERT.GENCERT SERVICE(DELETE) is denied at TCPIP IPL. This renders the private key of the keyring SITECERT.MULESFTB unavailable to TCPIP.
The details of RACROUTE call that results in the 'Record SITECERT.keyring does not have a private key' message must be exposed. Although the TCPIP STC issued the RACROUTE call, it did not use its own LID. A temporary rule change was added to give UID(*) access to the FACILITY class resource IRR.DIGTCERT.GENCERT and log the access. The ACFRPTRV report showed that TCPIP was issuing the RACROUTE call using LID of (in this case) the associated DB2 address space.