TCPIP with MULESOFT gets error message gsk_get_local_certificates Record 'SITECERT.MULESFTB' does not have a private key

book

Article ID: 196716

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - MISC CA ACF2 - z/OS

Issue/Introduction

Handshake failure Messages seen in Component Trace: 

   BSYS      MESSAGE   00000004  15:42:05.854673  SSL_ERROR
    Job TCPIP     Process 000002D4  Thread 00000004  gsk_get_local_certificates
    Record 'SITECERT.MULESFTB' does not have a private key
 
   BSYS      MESSAGE   00000004  15:42:05.854708  SSL_ERROR
    Job TCPIP     Process 000002D4  Thread 00000004  send_v3_server_messages
    Unable to obtain server certificates: Error 428

Commands were issued to validate the certificate data and showed that SITECERT.MULESFTB did in fact have a private key:

SET PROFILE(USER) DIV(CERTDATA)
CHK SITECERT.MULESFTB CHAIN

 

Cause

These messages will be seen when access to facility IRR.DIGTCERT.GENCERT SERVICE(DELETE) is denied at TCPIP IPL. This renders the private key of the keyring SITECERT.MULESFTB unavailable to TCPIP.  

Environment

ACF2 R16.0 

TCPIP 

DB2 

Resolution

The details of RACROUTE call that results in the 'Record SITECERT.keyring does not have a private key' message must be exposed. Although the TCPIP STC issued the RACROUTE call, it did not use its own LID. A temporary rule change was added to give UID(*) access to the FACILITY class resource IRR.DIGTCERT.GENCERT and log the access. The ACFRPTRV report showed that TCPIP was issuing the RACROUTE call using LID of (in this case) the associated DB2 address space.