Adding Certificates signed by the Entrust-L1B CA certificate result in TSS0942I INVALID CERTIFICATE DATA - PROCESSING.

book

Article ID: 53285

calendar_today

Updated On:

Products

CA Cleanup CA Datacom CA DATACOM - AD CA CIS CA Common Services for z/OS CA 90s Services CA Database Management Solutions for DB2 for z/OS CA Common Product Services Component CA Common Services CA Datacom/AD CA ecoMeter Server Component FOC CA Easytrieve Report Generator for Common Services CA Infocai Maintenance CA IPC Unicenter CA-JCLCheck Common Component CA Mainframe VM Product Manager CA Chorus Software Manager CA On Demand Portal CA Service Desk Manager - Unified Self Service CA PAM Client for Linux for zSeries CA Mainframe Connector for Linux on System z CA Graphical Management Interface CA Web Administrator for Top Secret CA CA- Xpertware CA Top Secret CA Top Secret - LDAP CA Top Secret - VSE

Issue/Introduction

Description:

Adding Certificates signed by the Entrust-L1B CA certificate result in:

TSS0942I INVALID CERTIFICATE DATA - PROCESSING.
TSS0301I ADD FUNCTION FAILED, RETURN CODE = 4

The ROOT certificate can be added without a problem.

Solution:

Certificates signed by the Entrust-L1B CA certificate have distinguished names that exceed the current length supported by the three major mainframe security products, to date.

The CA Top Secret product, at the proper maintenance level, currently supports up to 4096-bit RSA keys.

The CA Top Secret product also supports the 2048-bit RSA keys necessary to meet the NIST requirement.

The problem is any certificate signed by the Entrust-L1B CA certificate has a serial number - issuers distinguished name combination exceeding the length supported by the three mainframe security solutions.

Customers that have obtained certificates signed by the L1B CA certificate should contact Entrust and obtain a chain certificate that complies with the current constraints set by the external security managers on z/OS (currently 246 for the serial number-IDN combination and 255 for the SDN). Certificates that are signed by the Entrust-L1B CA certificate cannot currently be stored in any Mainframe security product.

Top Secret is currently looking into increasing the supported length of the serial number-IDN combination.

Environment

Release:
Component: AWAGNT