Pam Server works fine without TLS. When TLS is in place the zLinux guest does not verify the PAM(Privileged Access Manager) server's certificate and the following errors are received:
zn015 CA_esm_proxy[8999]: tls.c:766: can't load CA certificates from dhscatre.pem: No such file or directory. zn015 CA_esm_proxy[8999]: tls.c:587: 2199054764368:error:02001002:system library:fopen:No such file or directory: file name
On the z/0S side you may see the following errors:
TLS error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
in s3_pkt.c at 1054
TLS error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
+++ SSL alert number 40
If you are receiving these errors or having problems loading the CA certificates in Pam, start debugging by running a proxy server trace.
Add the following to the command that starts the proxy server to get a proxy server trace:
"--trace-file=<filename> --trace-level=511"
Then try to connect to Pam using the TSS CA certificate.
Look for the following in the trace log:
+++TLS certificate verification: no subjectAltName section matches usct
If you see the above error then there are two options to correct the problem.