Using XCOM to perform encrypted SSL transfers with IBM's SystemSSL

Using a SAF key ring to store certificates and private keys

Transfer fails during initialization with message:

XCOMM1510E System SSL: gsk_secure_socket_init: RC = 428: Reason = Key entry does not contain a private key

Release : 12.0

Component : XCOM Data Transport for z/OS

This is normally a permission issue,

• The keyring (specified in parameter KEYRING_FILE) has been found
• The caller has enough authority to access the keyring
• The certificate (specified in parameter LABELCERT) has been found in the keyring
• However, the caller does NOT have permission to retrieve the private key associated with the certificate

The caller must be granted authority to retrieve the private key. It's tricky to determine what is the exact permission required as it depends on how digital certificates are protected onsite, on whether the certificate is owned by the caller or by somebody else and on whether the keyring is a virtual one or a real one.

There are some guidelines in the description of RC 428  in the SystemSSL documentation.

SystemSSL uses the R_datalib (IRRSDL00) service from RACF. The 'usage notes' section from the description of this service detail the permissions required to retrieve the private key from a certificate in each situation