ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

CAS20E0E ICSF CSNDPKG service error during ACF2 GENCERT

book

Article ID: 237101

calendar_today

Updated On:

Products

ACF2 - z/OS ACF2 ACF2 - MISC

Issue/Introduction

When attempting to GENCERT a digital certificate with PCICC specified, the following error is seen and the certificate fails to be generated:                                                   

CAS20E0E ICSF CSNDPKG service error - RC=12 RSN=11016                

Environment

Release : 16.0

Component : ACF2 for z/OS

z/OS 2.4 or higher

Resolution

The return and reason codes indicate an issue with the master key in ICSF, stating "The master key is not in a valid state. Contact your ICSF administrator."

z/OS V2R4 introduced a requirement of an ECC master key:

https://www.ibm.com/docs/en/zos/2.4.0?topic=consider-racf-racdcert-tls13-rsapss-support

Missing this ECC master key results in the rc=12, rsn=11016 from the CSNDPKG service.

Note that the private keys already installed in the PKDS by an older z/OS release will remain in place but won't be usable unless re-encrypted with the ECC master key.

Additional Information

RACF RACDCERT TLS1.3 RSAPSS support
Reason codes for return code C (12)