search cancel

FTP Issue for ACF2 user in AT-TLS environment

book

Article ID: 238763

calendar_today

Updated On:

Products

ACF2 - z/OS ACF2 - MISC ACF2

Issue/Introduction

When trying to FTP software to an ACF2 secured mainframe, the following errors are seen in the error log:

FC3110 authServerAttls: Start Handshake                                        
FC3119 authServerAttls: ioctl() failed on SIOCTTLSCTL - EDC8121I Connection re 
set. (errno2=0x77A9733D)                                                       
EZA2897I Authentication negotiation failed

Granting temporary NON-CNCL privilege to the ACF2 user allowed access and the user was then able to establish a connection.

There is nothing in the ACFRPTRV report. What is the resource rule that needs to be written?

 

Environment

Release : 16.0

Component : ACF2 for z/OS

Resolution

Setting the TRACE bit on the logonid, re-testing, and running the RV report revealed a violation for CLEARKEY.SYSTOK-SESSION-ONLY.

The CLEARKEY.token-name resource will be queried to determine the policy for creating a clear key in contrast to a secure key when CKA_IBM_SECURE=TRUE has not been specified for key generation within ICSF.

For more information regarding this resource and how to write rules for it, see KD Article 32457: resource violations for CRYPTOZ require rules for resource validations