ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Troubleshooting SITECERT digital certificate private key error - EZD1287I RC 428

book

Article ID: 237054

calendar_today

Updated On:

Products

ACF2 - z/OS ACF2 ACF2 - MISC

Issue/Introduction

When getting a digital certificate back from an external CA and inserting it back into ACF2, AT-TLS thinks it loses its private key.

The AT-TLS policy specifies the correct ringname and the label of the new certificate.  When attempting to start an SSL connection, the connection fails on z/OS with this error:

EZD1287I TTLS Error RC:  428 Initial Handshake 037                

The description for RC 428 from IBM documentation specifies that the private key cannot be obtained from the certificate. How is this issue resolved?

 

Environment

Release : 16.0

Component : ACF2 for z/OS

Resolution

The most obvious suspects of this error are specifying an incorrect usage when attaching the certificate to the keyring and/or not having the correct privileges to read the private key. 

Keyring Usage:

In order to share the private key of a digital certificate, the certificate must be attached to the keyring as USAGE(PERSONAL).

CONNECT CERTDATA(certificate) KEYRING(keyring) USAGE(PERSONAL)

Private key access:

There are two different ways to allow access to the private key of a SITECERT certificate

  • If using the RDATALIB class for ring specific checks, UPDATE access to ringowner.ringname.LST is required. This is in addition to READ access for this resource that is required for the user to read the keyring.

SET R(RDA)
RECKEY ringowner ADD( ringname.LST UID(uid) SERVICE(READ,UPDATE) ALLOW)

  • If using the FACILITY class for global checks, DELETE access to IRR.DIGTCERT.GENCERT is required.

SET R(FAC)
RECKEY IRR ADD( DIGTCERT.GENCERT UID(uid) SERVICE(DELETE) ALLOW)

Other considerations:

  • Is the private key in the database? Issue a CHKCERT command for the certificate. If there is a private key, there will be the following sections listed:

    Private Key Type:     
       RSA                                                                     
    Private key bit size:                                                       
       2048                                                                     
    Signature Algorithm:                                                         
       sha256WithRSAEncryption

If these sections are not listed in the CHKCERT, the private key does not exist in the database. This occurs when the certificate was deleted after the GENREQ for the CSR and before the INSERT of the signed certificate from the CA. In this case, the private key will either need to be restored from a backup copy of the INFOSTG database or a new certificate will need to be generated and sent out to be signed. 

  • If the issue still persists after making sure all the above are correct, then verify PTFs LU03440 and LU01752 are applied.