How do I determine if all the certificates have been read off the ACF2 keyring for a failed SSL connection?
search cancel

How do I determine if all the certificates have been read off the ACF2 keyring for a failed SSL connection?

book

Article ID: 26089

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC

Issue/Introduction

An SSL connection is failing. The KEYRING and CERTDATA records look ok. How do I determine if all the certificates have been read off the keyring?

Environment

Release:
Component: ACF2MS

Resolution

Set up an OMVS SECTRACE to run during the startup of the address space (where the SSL connection fails).

The syntax for the OMVS SECTRACE command is:

ST SET,ID=xxxx,TYPE=OMVS,SFUNC=RDATALIB,END

where "xxxx" is an identifying string of your choice

Start the address space (that will be traced).

This will produce a trace record for each R_datalib request. The first R_datalib request should be for the "DataGetFirst" function. If the request is successful, the return codes will be 0/0:0. This means the keyring record has been found and the first certificate has been returned. If it is not successful and the return codes are 8/8:44, then it is likely the SSL parms for the address space application specify a keyring value that does not match the RINGNAME in any of the KEYRING records for the address space userid.

Each subsequent R_datalib request is for a "DataGetNext" function. Again, the return codes should be 0/0:0 for each DataGetNext request until there are no more certificates on the keyring. When there are no more certificates on the keyring, the DataGetNext gets a return code of 8/8:44. The count of R_datalib requests should be 1 more than the number of certificates connected to the keyring. Each trace record contains the name of the certificate that has been retrieved. If you see that not all the certificates were retrieved, then issue a CHKCERT for each certificate that is missing. Verify the request date is within the validity dates for the certificate. Verify the CERTDATA record shows TRUST. If these checks are good, then reissue the commands:

F ACF2,REBUILD(USR),CLASS(P)
F ACF2,OMVS(CERTDATA)

Then recycle the address space. Certificates will not be retrieved by an R_datalib request if the request date is outside the validity dates or the certificate is not trusted.

Additional Information:

Additional information on digital certificates is available in the ACF2 Administrator Guide (Chapter 25: Digital Certificate Support).
Additional information on the SECTRACE command is available in the ACF2 System Programmer Guide (Chapter 6: Special Usage Considerations, Tracing SAF Requests).

Powered by Wolken Software