search cancel

XCOMM1510E System SSL Function gsk_environment_init(env_handle): RC = 202: Reason = Error detected while opening the certificate

book

Article ID: 42566

calendar_today

Updated On:

Products

XCOM Data Transport XCOM Data Transport - z/OS

Issue/Introduction

When performing a System SSL transfer the following message is displayed:

XCOMM1510E System SSL Function gsk_environment_init(env_handle): RC = 202: Reason = Error detected while opening the certificate.

 

Environment

Release: 12.0
Component: XCMVS

Cause

  • The key entry does not contain a private key or the private key is not usable.
  • This error can also occur if the private key is stored in ICSF and ICSF services are not available,
  • if using a SAF key ring that is owned by another user, if the private key size is greater than the supported configuration limit or the application is executing in FIPS mode.
  • Certificates that are meant to represent a server or client must be connected to a SAF key ring with a USAGE value of PERSONAL and either be owned by the user ID of the application or be SITE certificates.
  • This error can occur when using z/OS® PKCS #11 tokens if the user ID of the application does not have appropriate access to the CRYPTOZ class.
  • This error can occur when using private keys associated with user certificates in a SAF key ring that is owned by another user if the user ID of the application does not have appropriate access to the ringOwner.ringName.LST resource in the RDATALIB class.

Resolution

After reviewing the XCOM trace we found the actual message returned by IBM's System SSL, which was: "RC = Key entry does not contain a private key"

Ensure that the ICSF started task is started before the application if the private key is stored in ICSF. When using z/OS PKCS #11 tokens, ensure that the user ID has appropriate access to the CRYPTOZ class.

If executing in FIPS mode, ensure that the certificate that is being used does not have its private key stored in ICSF.

Additional Information

Here is the explanation from IBM's knowledge center:

https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.gska100/id428.htm