search cancel

Key entry does not contain a private key (428) error for a certificate in an ACF2 keyring

book

Article ID: 237747

calendar_today

Updated On:

Products

ACF2 - z/OS ACF2 ACF2 - MISC

Issue/Introduction

In trying to set up an SSL/TLS connection for an application using an ACF2 keyring, the following error is seen in the GSKTRACE taken by the application support team:

GSK: 311AD758 Error in gsk_secure_socket_init(): Key entry does not contain a private key (428)

Why is this error occurring? 

Environment

Release : 16.0

Component : ACF2 for z/OS

Resolution

The original RDATALIB (RDA) resource class rule that was written was not changed after the ringname was changed. The RDA resource call has a syntax of ringowner.ringname.LST. READ access is required for keyring access and UPDATE access is required to read the private key since the logonid that needed access was not the certificate owner.

Old Rule:
$KEY(USER01) TYPE(RDA)                                              
$USERDATA(USER01 KEYRING)                                                                            
  OLDRING.LST UID(**************USER02) SERVICE(UPDATE) ALLOW

Updated Rule: 
$KEY(USER01) TYPE(RDA)                                              
$USERDATA(USER01 KEYRING)                                                                            
  NEWRING.LST UID(**************USER02) SERVICE(READ,UPDATE) ALLOW