I just installed CA LDAP Server and when it starts it immediately ends with a RC 256 and the stderr file shows messages TLS: could not initialize environment handle and TLS: Permission denied. What can cause this?
search cancel

I just installed CA LDAP Server and when it starts it immediately ends with a RC 256 and the stderr file shows messages TLS: could not initialize environment handle and TLS: Permission denied. What can cause this?

book

Article ID: 45749

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC PanApt PanAudit

Issue/Introduction

I just installed CA LDAP Server and when it starts it immediately ends with a RC 256 and the stderr file shows messages TLS: could not initialize environment handle and TLS: Permission denied. What can cause this? 

 

 

 

Environment

Release:
Component: ACF2MS

Resolution

The CA LDAP Server stderr file shows: 

[08/12|10:17:32.532204|1804000000000000] reading config file ./slapd.conf
[08/12|10:17:32.540654|1804000000000000] line 4 (hosturls ldap://xx.xx.x.x:xx) 
[08/12|10:17:32.541503|1804000000000000] line 14 (TLSkeyringname secring) 

.. ... .. 
. ... .. 

[08/12|10:17:33.761896|1804000000000000] TLS: could not initialize environment handle. 
[08/12|10:17:33.794011|1804000000000000] TLS: Permission denied 

The TLS error 'Permission denied' is likely related to the CA LDAP Server access to the Keyring specified in the CA LDAP Server slapd.conf TLSKeyringName parameter.

The ACFRPTRV report can be run against the SMF active at the time of the error. 

Please check for violations related to the CA LDAP Server task. 

In order for the CA LDAP Server to access the Keyring either a FACILITY or RDATALIB resource rule need to be created to allow access. Note the Resource Class RDATALIB resource ringowner.ringname.LST is checked first, if there is no rule then the Resource Class FACILITY resource IRR.DIGTCERT.LISTRING is checked. Either rule can be used, the difference is that the Resource Class RDATALIB check is Keyring specific whereas the Resource Class Facility check is for all Keyrings.

Example Rules

$KEY(IRR.DIGTCERT.LISTRING) TYPE(FAC)                            
 UID(UID of CA LDAP Server) SERVICE(READ) ALLOW  <-gives access to CA LDAP Server if it is the Keyring owner        
 UID(UID of CA LDAP Server) SERVICE(UPDATE) ALLOW  <-gives access to CA LDAP Server if it is Not the Keyring owner    

  or

$KEY(ringowner) TYPE(RDA) 
ringname.LST UID(UID of CA LDAP Server) ALLOW