ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Digital Certificate Debugging for CA SMP/E Internet Service Retrieval


Article ID: 213184


Updated On:


Common Services COMMON SERVICES FOR Z/OS ACF2 ACF2 - z/OS ACF2 - MISC Top Secret


The following contains a list of documentation to gather and a checklist of what to look for when there is a digital certificate issue with CA SMP/E Internet Service Retrieval.


Documentation Required:

1. SMP/E Internet Service Retrieval joblog showing the error messages.

2. To verify KEYRING setup - LIST of the KEYRING: 

LIST ringname

Top Secret


3. To verify the certificate status, and keys - Issue the ACF2 or TSS CHKCERT or RACF RACDCERT LIST for each of the three certificates in the Keyring:

CHKCERT certdata.recordname

Top Secret
TSS CHKCERT DCDSN(input_dataset_name)

RACDCERT LIST(LABEL('label-name'))

4. To verify the server task has the authority to access the Keyring and certificates, run the ESM security reports to check for resource violations. 

5. To verify that the KEYRING and certificates are being returned to the SMP/E job, turn on the ACF2 or Top Secret OMVS Sectrace or the RACF SAF Trace before running the SMP/E job: 

ACF2 and Top Secret

   Turn on GTF
Start gtfracf.gtf,,,noprompt

Debugging checklist:

1. Verify Certificates are Trusted

2. Verify Certificates are not expired

3. Verify there are no ESM resource violations for Resource Class FACILITY or RDATALIB

4. Verify the ACF2/TSS OMVS SECTRACE, or RACF SAF Trace shows all certificates returned from the Keyring with correct certificate Usage and certificate labels.

5. Verify the Keyring ringname and User certificate label match the ORDERSERVER parameters.

7. Verify that the Keyring owner LOGONID/ACID/USERID matches the LOGONID/ACID/USERID that the CA SMP/E Order job is running under.

Non-Digital Certificate related things to check:

1. Verify the correct CSI is specified in the SMPCSI DD.

2. Verify the USS path directory specified in the SMPNTS DD is mounted, is valid and has enough space. 

3. Verify the CLIENT javahome parameter specifies the correct location for the Java runtime directory.

4. To process a RECEIVE ORDER request, SMP/E assumes that you have network connectivity from your z/OS system to the following CA Technologies servers: and

    You can verify your Name server ( and setup by using the following sample job to invoke the DIG command:

    //jobname JOB ...
    //NSLOOKU1 EXEC PGM=BPXBATCH,                             
    //             PARM='PGM /bin/dig'      
    //STDOUT    DD SYSOUT=*                                   
    //NSLOOKU2 EXEC PGM=BPXBATCH,                             
    //             PARM='PGM /bin/dig'
    //STDOUT    DD SYSOUT=*                                   

    Expected RC is 0, if you receive a non-zero return code provide the job output to your Network Group for further analysis.