AT-TLS transfer fails with message BPXF024I RC=6 with XCOM for z/OS

book

Article ID: 207570

calendar_today

Updated On:

Products

CA XCOM Data Transport CA XCOM Data Transport - z/OS

Issue/Introduction

An AT-TLS TYPE=EXECUTE transfer fails with the following message in the output, receiving server xcomlog, and system log:

Transfer fails with messages:

XCOMM0785I STARTING TCP/IP CONNECTION TO PORT=10103, IP=
XCOMM0786I TCP/IP CONNECTION ESTABLISHED WITH DEST=**NONE**, PORT=10103,
                                                                        
XCOMM0402I REQUEST NUMBER 002000 ASSIGNED TO TRANSFER REQUEST           
XCOMM1467E OMVS Error: EDC5140I Broken pipe. (errno2=0x77F37242)        
XCOMM0780E Txpi  215: Socket send error return value = 140              
XCOMM0783E FLUSH    REQUEST ENDED DUE TO TCP/IP ERROR

Receiving Server:

Transfer failed with messages:

XCOMM1467E OMVS Error: EDC8124I Socket not connected. (errno2=0x749B0000)      
XCOMM0780E Txpi  234: Error 1124 from getpeername; length : 28   IP=                                                                 
XCOMM0666E TxpiInitConnection FAILED - UNKNOWN PARTNER - TERMINATING CONNECTION
XCOMM0805I TCP/IP CONNECTION ENDED WITH IP=

System log:

#002000 XCOM3BP     XCOMM0785I STARTING TCP/IP CONNECTION TO PORT=10103, IP=                    
BPXF024I (BPXOINIT) Jan 29 18:54:05 system TTLS 17104957 : 13:54:05   
TCPIP31  EZD1286I TTLS Error GRPID: 00000001 ENVID: 0000002A CONNID:    
006568AF LOCAL: ipaddr ..56687 REMOTE: ipaddr..10103         
JOBNAME: XCOM3BP USERID: xxxxxxx RULE: XCOM-Client 18  RC:    6         
Initial Handshake 0000000000000000 0000005179200050 0000000000000000    
                                                                        
XCOMM1467E OMVS Error: EDC8124I Socket not connected. (errno2=0x749B0000)                                                                       
XCOMM0780E Txpi  234: Error 1124 from getpeername; length : 28 IP=                                       
XCOMM0666E TxpiInitConnection FAILED - UNKNOWN PARTNER - TERMINATING CONNECTION                                                              
XCOMM0805I TCP/IP CONNECTION ENDED WITH IP=                                                       
#002000 XCOM3BP     XCOMM0786I TCP/IP CONNECTION ESTABLISHED WITH DEST=**NONE**, PORT=10103, IP=            
#002000 XCOM3BP     XCOMM0402I REQUEST NUMBER 002000 ASSIGNED TO TRANSFER REQUEST                                            
#002000 XCOM3BP     XCOMM1467E OMVS Error: EDC5140I Broken pipe. (errno2=0x77F37242)                                        
#002000 XCOM3BP     XCOMM0780E Txpi  215: Socket send error return value = 140                                                
#002000 XCOM3BP     XCOMM0783E FLUSH REQUEST ENDED DUE TO TCP/IP ERROR                       

Cause

Based on the message and RC received, the problem was related to the Cert Label of the SSL certificate. In this case the actual SSL client and server certificate cert labels in the System SSL database being used by the XCOM task didn't matched the AT-TLS rules.

Environment

Release : 12.0

Component : CA XCOM Data Transport for z/OS

Resolution

Review the Cert Label of the SSL certificates being used and make the appropriate changes to the AT-TLS rules or to the actual SSL certificate.

Depending on the setup it may be possible to change the Cert Labels of the certificates in the IBM System SSL database using the IBM gskkyman utility. Speak and review this with the Systems Programmer and Security Admin before making changes. 

 

 

Additional Information

The meaning of the message:

BPXF024I (BPXOINIT) Jan 29 18:54:05 system TTLS 17104957 : 13:54:05   
TCPIP31  EZD1286I TTLS Error GRPID: 00000001 ENVID: 0000002A CONNID:    
006568AF LOCAL: ipaddr..56687 REMOTE: ipaddr..10103         
JOBNAME: XCOM3BP USERID: xxxxxxx RULE: XCOM-Client 18  RC:    6         
Initial Handshake 0000000000000000 0000005179200050 0000000000000000

Here is the link where the RC was found:

 IBM Documentation

6   Key label is not found.

Explanation

The requested key label is not found in the key database, Start of changePKCS #12 fileEnd of change, SAF key ring, or z/OS® PKCS #11 token. Start of changeWhen using a PKCS #12 file, this error can also occur when the file is being processed during the establishment of the SSL/TLS environment when a certificate is encountered where there is no friendly name PKCS #12 attribute and the certificate's subject distinguished name is empty.

User response

Specify a label that exists in the key database, Start of changePKCS #12 fileEnd of change, SAF key ring, or z/OS PKCS #11 token. Start of changeIf encountered when establishing a SSL/TLS environment using a PKCS #12 file, verify any certificate that has no subject distinguished name is assigned a PKCS #12 friendly name attribute.