search cancel

Digital Certificate Debugging for CA SMP/E Internet Service Retrieval

book

Article ID: 213184

calendar_today

Updated On:

Products

Common Services COMMON SERVICES FOR Z/OS ACF2 ACF2 - z/OS ACF2 - MISC Top Secret

Issue/Introduction

The following contains a list of documentation to gather and a checklist of what to look for when there is a digital certificate issue with CA SMP/E Internet Service Retrieval.

Resolution

Documentation Required:

1. SMP/E Internet Service Retrieval joblog showing the error messages.

2. To verify KEYRING setup - LIST of the KEYRING: 

ACF2
SET PROFILE(USER) DIV(KEYRING)
LIST ringname

Top Secret
TSS LIST(USER01) LABLRING(ringname)

RACF
RACDCERT LISTRING(ringname)

3. To verify the certificate status, and keys - Issue the ACF2 or TSS CHKCERT or RACF RACDCERT LIST for each of the three certificates in the Keyring:

ACF2
CHKCERT certdata.recordname

Top Secret
TSS CHKCERT DCDSN(input_dataset_name)

RACF
RACDCERT LIST(LABEL('label-name'))

4. To verify the server task has the authority to access the Keyring and certificates, run the ESM security reports to check for resource violations. 

5. To verify that the KEYRING and certificates are being returned to the SMP/E job, turn on the ACF2 or Top Secret OMVS Sectrace or the RACF SAF Trace before running the SMP/E job: 

ACF2 and Top Secret
SECTRACE SET,ID=mytrace,TYPE=OMVS,SFUNC=RDATALIB,END

RACF
@SET TRACE(CALLABLE(TYPE(41)) JOBNAME(*))    
   Turn on GTF
Start gtfracf.gtf,,,noprompt

Debugging checklist:

1. Verify Certificates are Trusted

2. Verify Certificates are not expired

3. Verify there are no ESM resource violations for Resource Class FACILITY or RDATALIB

4. Verify the ACF2/TSS OMVS SECTRACE, or RACF SAF Trace shows all certificates returned from the Keyring with correct certificate Usage and certificate labels.

5. Verify the Keyring ringname and User certificate label match the ORDERSERVER parameters.

7. Verify that the Keyring owner LOGONID/ACID/USERID matches the LOGONID/ACID/USERID that the CA SMP/E Order job is running under.

Non-Digital Certificate related things to check:

1. Verify the correct CSI is specified in the SMPCSI DD.

2. Verify the USS path directory specified in the SMPNTS DD is mounted, is valid and has enough space. 

3. Verify the CLIENT javahome parameter specifies the correct location for the Java runtime directory.

4. To process a RECEIVE ORDER request, SMP/E assumes that you have network connectivity from your z/OS system to the following CA Technologies servers: eapi.broadcom.com and rdownloads.broadcom.com.

    You can verify your Name server (eapi.broadcom.com and rdownloads.broadcom.com) setup by using the following sample job to invoke the DIG command:

    //jobname JOB ...
    //NSLOOKU1 EXEC PGM=BPXBATCH,                             
    //             PARM='PGM /bin/dig eapi.broadcom.com'      
    //STDOUT    DD SYSOUT=*                                   
    //NSLOOKU2 EXEC PGM=BPXBATCH,                             
    //             PARM='PGM /bin/dig rdownloads.broadcom.com'
    //STDOUT    DD SYSOUT=*                                   
    /*                      

    Expected RC is 0, if you receive a non-zero return code provide the job output to your Network Group for further analysis.