search cancel

ACF2 R15.0 unable to insert/add CERT. ACF00178 INVALID CERTIFICATE DATA - BUFFER TOO SMALL

book

Article ID: 200983

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC LDAP SERVER FOR Z/OS PAM CLIENT FOR LINUX ON MAINFRAME WEB ADMINISTRATOR FOR TOP SECRET

Issue/Introduction

Description File uploaded to SSMU.CERT.DODWCF.ROOTCA1.DER.  ACF2 chkcert dsn was able to read the binary certificate.  

CHKCERT COMMAND RESULT:

chkcert dsn('SSMU.CERT.DODWCF.ROOTCA1.der')    
      Data set name:                              
            SSMU.CERT.DODWCF.ROOTCA1.DER  
Serial number:          
    01                                          
Issuer's distinguished name:  
    CN=DoD WCF Root CA 1  
    OU=WCF PKI      
    OU=DoD          
    O=U.S. Government
    C=US            
Subject's distinguished name:
    CN=DoD WCF Root CA 1  
    OU=WCF PKI      
    OU=DoD              
    O=U.S. Government  
    C=US                    

Key Usage:     
   CERTSIGN    


The following commands were issued to add cert to ACF2:
 ACF  
 t prof(user) div(certdata)  
PROFILE                      
INSERT CERTAUTH.DDWCFRT1 DSN('SSMU.CERT.DODWCF.ROOTCA1.DER') LABEL(CERTAUTH.DDWCFRT1) HITRUST
ACF00178 INVALID CERTIFICATE DATA - BUFFER TOO SMALL    
PROFILE

CA's error codes doc specifies a reason field that is not in the actual message.      

Environment

Release : 15.0

Component : CA ACF2 for z/OS

Resolution

Process to import the PKCS#7 package and then create two new PKCS#7 packages that do not have any undefined length sequences. It uses the Windows certutil command to accomplish this. Here is the process that can be used to (eventually) get certificates inserted on ACF2.

1) Export the PKCS#7 package from z/OS to Windows in binary. If PKCS#7 package is already on Windows you can skip this step.

2) Open a Windows DOS command prompt

3) Issue the certutil command below replacing the Windows file name with the name of your PKCS#7 file:

certutil -addstore -user My C:\Users\Downloads\Certificates\TEST.CRT

Should see all 4 certificate in the PKCS#7 package being added to the certificate store. If Windows can't locate the file, check to see if an extension got added to the file name. Can "cd" to the directory from the Windows DOS command prompt then do a "dir" to list the files in the directory.

4) If the "addstore" worked OK then open your Windows Settings. In the "Find a setting" box enter "certificates" then click "Manage user certificates". Double-click the "Personal" folder then the "Certificates" folder.

5) Next run the certificate export wizard for each of the two personal certificates with the common name and in the issuer name. 

First double-click on one of the two user certificates. In the "Certificate" window click the "Details" tab, then "Copy to File" to start the export wizard.

When you see the format selection pick PKCS#7 (P7B) and select "Include all certificates in the certification path if possible".

The window after that will require to enter the file name of the PKCS#7 export file. Pick a different name for each of the two user certificates. Once the first export completes go back and repeat the process for the second user certificate.

6) Once exported both of the personal certificates use FTP to do a binary transfer of the two PKCS#7 files from Windows to z/OS.

7) In the ACF command issue a CHKCERT command against each file. Specify the CHAIN operand of CHKCERT to display all the certificates in the PKCS#7 file.

8) If the CHKCERT looks good then issue your INSERT command to insert the PKCS#7 files.