When getting a digital certificate back from an external CA and inserting it back into ACF2, AT-TLS thinks it loses its private key.

The AT-TLS policy specifies the correct ringname and the label of the new certificate.  When attempting to start an SSL connection, the connection fails on z/OS with this error:

EZD1287I TTLS Error RC:  428 Initial Handshake 037    

The description for RC 428 from IBM documentation specifies that the private key cannot be obtained from the certificate. How is this issue resolved?

Release : 16.0

Component : ACF2 for z/OS

The most obvious suspects of this error are specifying an incorrect usage when attaching the certificate to the keyring and/or not having the correct privileges to read the private key. 

Keyring Usage:

In order to share the private key of a digital certificate, the certificate must be attached to the keyring as USAGE(PERSONAL).

CONNECT CERTDATA(certificate) KEYRING(keyring) USAGE(PERSONAL)

Private key access:

There are two different ways to allow access to the private key of a SITECERT certificate

• If using the RDATALIB class for ring specific checks, UPDATE access to ringowner.ringname.LST is required. This is in addition to READ access for this resource that is required for the user to read the keyring.

SET R(RDA)
RECKEY ringowner ADD( ringname.LST UID(uid) SERVICE(READ,UPDATE) ALLOW)

• If using the FACILITY class for global checks, DELETE access to IRR.DIGTCERT.GENCERT is required.

SET R(FAC)
RECKEY IRR ADD( DIGTCERT.GENCERT UID(uid) SERVICE(DELETE) ALLOW)

Other considerations:

• Is the private key in the database? Issue a CHKCERT command for the certificate. If there is a private key, there will be the following sections listed:
  
  

  Private Key Type:     
     RSA                                                                     
  Private key bit size:                                                       
     2048                                                                     
  Signature Algorithm:                                                         
     sha256WithRSAEncryption

If these sections are not listed in the CHKCERT, the private key does not exist in the database. This occurs when the certificate was deleted after the GENREQ for the CSR and before the INSERT of the signed certificate from the CA. In this case, the private key will either need to be restored from a backup copy of the INFOSTG database or a new certificate will need to be generated and sent out to be signed. 

• This issue may be caused by the PE'd PTF LU01734. If this PTF is applied, then the  PTFs LU03440 and LU01752 should also be applied to fix the issue.