RC: 541 while testing SYSVAPPS to use AT-TLS
search cancel

RC: 541 while testing SYSVAPPS to use AT-TLS

book

Article ID: 262232

calendar_today

Updated On:

Products

SYSVIEW Performance Management

Issue/Introduction

Customer configured AT-TLS with only server and it worked.  But when they configured for serverwithclientauth they had this

error on SYSLOG:

 
EZD1287I TTLS Error RC:  541 Initial Handshake 837    
              
  LOCAL: aaa.bbb.ccc.dd..10553           ===> IP masked from the original                                       
  REMOTE: aa.bbb.c.dd..56414              ===> IP masked from the original
  JOBNAME: SYSVAPPS RULE: SYSVAPPS                                   
  USERID: SYSVIEW GRPID: 00000138 ENVID: 00003FE9 CONNID: 02A75442
  
EZD1287I TTLS Error RC:  541 Initial Handshake 838                   

  LOCAL: aaa.bbb.ccc.dd..10553           ===> IP masked from the original                                       
  REMOTE: aa.bbb.c.dd..56415              ===> IP masked from the original                                   
  JOBNAME: SYSVAPPS RULE: SYSVAPPS                                   
  USERID: SYSVIEW GRPID: 00000138 ENVID: 00003FE9 CONNID: 02A75444 

Environment

Release : 17.0

Cause

-

Resolution

From https://www.ibm.com/docs/en/zos/2.5.0?topic=codes-ssl-function-return :

 
541

Remote partner indicates sent certificate is not valid.
-
 
Then customer did the RACF name filtering in order to map the certificate to the RACF user.  
 
-
 
Customer confirmed that AT-TLS + mutual authentication is working at their site, and that using name filtering fixed the issue.

Additional Information

For IBM info on certificate name filtering, see:  https://www.ibm.com/docs/en/zos/2.5.0?topic=mapping-certificate-name-filtering .