Error: GIM69207S - PKIX path building failed
search cancel

Error: GIM69207S - PKIX path building failed

book

Article ID: 204684

calendar_today

Updated On:

Products

COMMON SERVICES FOR Z/OS Common Services

Issue/Introduction

Trying to download maintenance directly to our mainframe and am getting an error when using the SMPE Receive Order function from the Internet Service Retrieval or Create Service Order.

The certificates setup and the keyring configured but the job will not connect to the Broadcom Servers.

The SMP/E RECEIVE ORDER job starts and generates the following failure:

GIM68700I    ORDER ORD00003 HAS BEEN SENT TO THE SERVER AT https://eapi.broadcom.com/receiveorder.  
GIM69144I    ORDER ORD00003 IS READY FOR DOWNLOAD.
GIM69207S ** RECEIVE PROCESSING HAS FAILED BECAUSE THE CONNECTION WITH THE SERVER FAILED.
             javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed:
             com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested
             target
GIM20501I    RECEIVE PROCESSING IS COMPLETE. THE HIGHEST RETURN CODE WAS 12.
GIM20502I    SMP/E PROCESSING IS COMPLETE. THE HIGHEST RETURN CODE WAS 12. SMP/E IS AT LEVEL 36.106.

Environment

SMP/E Receive Order (SMP/E Internet Service Retrieval)
Create Service Order

Cause

  • One of the required certificates were not valid and/or not available to the user running the RECEIVE ORDER job
  • Proxy server denying Broadcom URLs
    • rdownloads.broadcom.com (141.202.253.110)
    • eapi.broadcom.com (141.202.0.16)

Resolution

  1. Update Network to add Broadcom URLs to Whitelist / Allow List
  2. Download (or validate) required Certificates as documented here: Obtain the Certificates for CA SMP/E Internet Service Retrieval
  3. Review the specific Security sections for tips on how to Debug Certificate and Keyring issues:

ACF2 Security

Top Secret Security

IBM RACF Security

Additional Information

Use the CHKCERT command to verify that the certificates on the keyring are the right ones.

Each security product (TSS, ACF2, RACF) provides a CHECKCERT command.

Refer to your ESM product documentation for information and details.

 

Here is some guidance for CA-TSS customers:

Looking at our documentation:

Obtain the Certificates for CA SMP/E Internet Service Retrieval

our customers are instructed to download three certificates.

Verify by doing the following:

  1. Download the three certificates as explained in the documentation.
  2. Upload the three certificates to a dataset. One dataset per certificate. Also explained in the documentation.
  3. Issue a TSS CHKCERT DCDSN(datasetname) against the three datasets

If you do not get a message indicating that the certificates are already on the security file, then you have the wrong certificates.

You will then need to install the new ones per the doc and add them to the keyring per the doc.

Powered by Wolken Software