ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

XCOMM1510E with RC 426 from SystemSSL (private key not found)

book

Article ID: 238407

calendar_today

Updated On:

Products

XCOM Data Transport - z/OS

Issue/Introduction

Using XCOM to perform encrypted SSL transfers with IBM's SystemSSL

Using a SAF key ring to store certificates and private keys

Transfer fails during initialization with message:

XCOMM1510E System SSL: gsk_secure_socket_init: RC = 428: Reason = Key entry does not contain a private key

Cause

This is normally a permission issue,

  • The keyring (specified in parameter KEYRING_FILE) has been found
  • The caller has enough authority to access the keyring
  • The certificate (specified in parameter LABELCERT) has been found in the keyring
  • However, the caller does NOT have permission to retrieve the private key associated with the certificate

Environment

Release : 12.0

Component : XCOM Data Transport for z/OS

Resolution

The caller must be granted authority to retrieve the private key. It's tricky to determine what is the exact permission required as it depends on how digital certificates are protected onsite, on whether the certificate is owned by the caller or by somebody else and on whether the keyring is a virtual one or a real one.

There are some guidelines in the description of RC 428  in the SystemSSL documentation.

SystemSSL uses the R_datalib (IRRSDL00) service from RACF. The 'usage notes' section from the description of this service detail the permissions required to retrieve the private key from a certificate in each situation