When getting a digital certificate back from an external CA and inserting it back into ACF2, AT-TLS thinks it loses its private key.
The AT-TLS policy specifies the correct ringname and the label of the new certificate. When attempting to start an SSL connection, the connection fails on z/OS with this error:
EZD1287I TTLS Error RC: 428 Initial Handshake 037
The description for RC 428 from IBM documentation specifies that the private key cannot be obtained from the certificate. How is this issue resolved?
Release : 16.0
Component : ACF2 for z/OS
The most obvious suspects of this error are specifying an incorrect usage when attaching the certificate to the keyring and/or not having the correct privileges to read the private key.
Keyring Usage:
In order to share the private key of a digital certificate, the certificate must be attached to the keyring as USAGE(PERSONAL).
CONNECT CERTDATA(certificate) KEYRING(keyring) USAGE(PERSONAL)
Private key access:
There are two different ways to allow access to the private key of a SITECERT certificate
SET R(RDA)
RECKEY ringowner ADD( ringname.LST UID(uid) SERVICE(READ,UPDATE) ALLOW)
SET R(FAC)
RECKEY IRR ADD( DIGTCERT.GENCERT UID(uid) SERVICE(DELETE) ALLOW)
Other considerations:
Private Key Type:
RSA
Private key bit size:
2048
Signature Algorithm:
sha256WithRSAEncryption
If these sections are not listed in the CHKCERT, the private key does not exist in the database. This occurs when the certificate was deleted after the GENREQ for the CSR and before the INSERT of the signed certificate from the CA. In this case, the private key will either need to be restored from a backup copy of the INFOSTG database or a new certificate will need to be generated and sent out to be signed.