ESM Micro Services SSL with Top Secret fails with no private key available message
search cancel

ESM Micro Services SSL with Top Secret fails with no private key available message

book

Article ID: 261178

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

ESM Micros Services SSL connection fails with the following errors:

ESM log:

 21:15:01.800 [main] DEBUG com.ca.esm.services.ZosCertificateService - ZosCertificateService.init - begin loading certificates ...
 21:15:01.803 [main] DEBUG com.ca.esm.services.ZosCertificateService - getKeyStore() - Key Store URL: safkeyring://AUTMSTC/ESMRING
 21:15:02.771 [main] ERROR com.ca.esm.services.ZosCertificateService - getKeyStore() - Exception loading our keystore: java.io.IOExce
 ption: The private key of CERTA is not available or no authority to access the private key

 21:15:02.772 [main] DEBUG com.ca.esm.services.ZosCertificateService - loadServerKeyPair() - Key Alias: CERTA
 21:15:02.772 [main] ERROR com.ca.esm.services.ZosCertificateService - Server Certificate Error. Unable to retrieve the Certificate.
  Check your Configuration
 21:15:02.772 [main] ERROR com.ca.esm.services.ZosCertificateService - Server certificate is not available while Running in Secure mo
 de!

 

Resolution

TSS LIST(CERTSITE) DIGICERT(digicertname) of the client certificate shows missing PRIVATE KEYSIZE which confirms there is no private key. A version of the client certificate with the private key needs to be added to the security file.

EXPORT a copy of the certificate in PKCS12 format, so the private key will be included.

Top Secret:

   TSS EXPORT(acid) DIGICERT(digicertname) DCDSN(datasetname) FORMAT(PKCS12DER) PKCSPASS(password)


ACF2:

   EXPORT{logonid|logonid.suffix}
     DSname(data-set-name)
     [LABEL(label)
     [FORMAT(CERTDER|CERTB64\PKCS12DER|PKCS12B64|PKCS7DER|PKCS7B64)]
     [PASSWORD(password)


RACF:

   RACDCERT EXPORT(LABEL('label-name'))
   [ ID(certificate-owner) | SITE | CERTAUTH ]
   DSN(output-data-set-name)
   [ FORMAT(
   CERTDER
   | CERTB64
   | PKCS7DER
   | PKCS7B64
   | PKCS12DER
   | PKCS12B64
   ) ]
   [ PASSWORD('pkcs12-password') ]