XCOM SSL File transfer from Linux Server to mainframe suddenly fails

book

Article ID: 206595

calendar_today

Updated On:

Products

CA XCOM Data Transport CA XCOM Data Transport - Linux PC CA XCOM Data Transport - z/OS

Issue/Introduction

File transfers from the Linux Server to the mainframe suddenly began to fail.

An xcomtcp -ping, returns this error:

#XCOMU0298E Unable to allocate remote transaction program: Txpi  215: Socket send error return value = 9

And this error is in the xcom.log

XCOMU0780E Txpi  308: TxpiInitSSL Failed msg = <error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed> value = 4294967295:

Cause

The original problem is that the client (Unix) fails to verify the certificate received from the server (MVS).

In the case the server certificate on the Mainframe had expired.

Environment

Release : 11.6, 12.0

Component : CA XCOM Data Transport for z/OS

CA XCOM Data Transport for Linux PC

Resolution

WORKAROUND  (to be used only to get production up and running while troubleshooting)

Disable VERIFY_CERTIFICATE in Unix so the connection succeeds.

TROUBLESHOOT with the openssl utility

In order to manually perform the verification via openssl utility you need:
- The CA certificate store file from Unix (named in [CA]/INITIATE_SIDE in the SSL config file from Unix. Let's call it CA.cert
- The certificate presented by mainframe, which is named in [CERTIFICATE]/RECEIVE_SIDE in the SSL config file from MVS side. Let's call it server.cert

The command is openssl verify -verbose -purpose sslserver -CAfile CA.cert server.cert

That is, "verify with verbose output a certificate which is a server certificate (-purpose sslserver) stored in file server.cert and using file CA.cert as the CA certificate store". 
This will give the reason why the certificate failed.

The verify utility is documented in OpenSSL Toolkit.  
The certificate verification might fail, for example, if the server certificate has expired.

If the server certificate has failed because it expired, a new certificate must be procured and installed