Automatic Registration of Digital Certificate in ACF2 failing: Internal SAF error
search cancel

Automatic Registration of Digital Certificate in ACF2 failing: Internal SAF error

book

Article ID: 236414

calendar_today

Updated On:

Products

ACF2 ACF2 - z/OS ACF2 - MISC

Issue/Introduction

When an ACF2 user attempts to register their digital certificate automatically to the ACF2 database using a site created script that calls IBM's initACEE callable service (IRRSIA00), they receive an error and are unable register their certificate:

SELFREG: Internal SAF error

The following is seen in the joblog for the time of the error:

EDC5143I No such process. (errno2=0x0BE8044C)
SAF authentication failure for "/.../certregister.rexx": SAFRunAs failure on switching SAF UID to name in SSL certificate (%%CERTIF%%).  
pthread_security_applid_np(...) returned -1, errno 143 errno2 be8044c

It's been confirmed that the user has access to IRR.DIGTCERT.ADD in the FACILITY class and has access to the OMVSAPPL APPLID. What is causing this error?

Environment

Release : 16.0

Component : ACF2 for z/OS

Resolution

When an internal error such as this occurs, the easiest way to diagnose is to perform the task manually within ACF2. Doing this will reveal the ACF2 error message stating what the problem is. Manually inserting the certificate resulted in a ACF0A025 INSUFFICIENT SPACE IN DATABASE TO COMPLETE REQUEST.

A LISTCAT of the INFOSTG database revealed that the database was full. Expanding the INFOSTG database resolved the ACF0A025 error and allowed for automatic certificate registration to resume.

Note that the ACFRPTOM report revealed the following error, but does not indicate what the internal error is:

initACEE         TESTUSR  TESTGRP   xxxxxxxxxx    xxxxxxxxxx   8      8      8                                                      
   03/01/22  22.060    7.46.23 TESTUSR           ABC      ABC                                                                        
   Failed - An internal error occurred during security processing                                                                    
    Function: Reg Cert  Attribute flags: 00000000                                                                                    
    Userid:             Applid: OMVSAPPL                                                                                             
    Password: NO   Passphrase: NO   Certificate: YES  ACEE Addr: NO  

An OMVS SECTRACE and MVS SECTRACE did not reveal anything additional as to what the internal error was. The RV report showed that access to the required resources was being granted. 

Additional Information

KD Article - ACF2 Support Automatic Registration of Digital Certificates
ACF2 Doc - Automatic Registration of Digital Certificates