ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

XCOMM1510E RC=428 Reason=Key entry does not contain a private key

book

Article ID: 239674

calendar_today

Updated On:

Products

XCOM Data Transport - z/OS

Issue/Introduction

Initiating a transfer from XCOM for Linux to XCOM for z/OS fails with the following message:

XCOMM1510E System SSL Function gsk_secure_socket_init(soc_handle): RC = 428: Reason =Key entry does not contain a private key

Transfers initiated from z/OS to Linux are successful.

 

Cause

The SSL certificates used for XCOM transfers were defined as Usage Default and not Personal in RACF keyring.

Environment

Release : 12.0

Component : XCOM Data Transport for z/OS

Resolution

The message is returned to XCOM from IBM System SSL. Make sure that the SSL certificates are defined correctly to the keyring in the Security package.

Additional Information

Per IBM documentation

428 Key entry does not contain a private key.
Last Updated: 2021-06-25

Explanation
The key entry does not contain a private key or the private key is not usable. This error can also occur if the private key is stored in ICSF and ICSF services are not available, if using a SAF key ring that is owned by another user, if the private key size is greater than the supported configuration limit or the application is executing in FIPS mode. Certificates that are meant to represent a server or client must be connected to a SAF key ring with a USAGE value of PERSONAL and either be owned by the user ID of the application or be SITE certificates. This error can occur when using z/OS PKCS #11 tokens if the user ID of the application does not have appropriate access to the CRYPTOZ class. This error can occur when using private keys associated with user certificates in a SAF key ring that is owned by another user if the user ID of the application does not have appropriate access to the ringOwner.ringName.LST resource in the RDATALIB class.

User response
Ensure that the ICSF started task is started before the application if the private key is stored in ICSF. When using z/OS PKCS #11 tokens, ensure that the user ID has appropriate access to the CRYPTOZ class.