File transfers from the Linux Server to the mainframe suddenly began to fail.
An xcomtcp -ping, returns this error:
#XCOMU0298E Unable to allocate remote transaction program: Txpi 215: Socket send error return value = 9
And this error is in the xcom.log
XCOMU0780E Txpi 308: TxpiInitSSL Failed msg = <error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed> value = 4294967295:
Release : 11.6, 12.0
Component : CA XCOM Data Transport for z/OS
CA XCOM Data Transport for Linux PC
The original problem is that the client (Unix) fails to verify the certificate received from the server (MVS).
In the case the server certificate on the Mainframe had expired.
Disable VERIFY_CERTIFICATE in Unix so the connection succeeds.
TROUBLESHOOT with the openssl utility
In order to manually perform the verification via openssl utility you need:
- The CA certificate store file from Unix (named in [CA]/INITIATE_SIDE in the SSL config file from Unix. Let's call it CA.cert
- The certificate presented by mainframe, which is named in [CERTIFICATE]/RECEIVE_SIDE in the SSL config file from MVS side. Let's call it server.cert
The command is openssl verify -verbose -purpose sslserver -CAfile CA.cert server.cert
That is, "verify with verbose output a certificate which is a server certificate (-purpose sslserver) stored in file server.cert and using file CA.cert as the CA certificate store".
This will give the reason why the certificate failed.
The verify utility is documented in OpenSSL Toolkit.
The certificate verification might fail, for example, if the server certificate has expired.
If the server certificate has failed because it expired, a new certificate must be procured and installed