'TSS0942I INVALID CERTIFICATE DATA - PROCESSING' When Adding An Entrust Digital Certificate To CA Top Secret Security File.
search cancel

'TSS0942I INVALID CERTIFICATE DATA - PROCESSING' When Adding An Entrust Digital Certificate To CA Top Secret Security File.

book

Article ID: 54160

calendar_today

Updated On:

Products

Cleanup Datacom DATACOM - AD CIS COMMON SERVICES FOR Z/OS 90S SERVICES DATABASE MANAGEMENT SOLUTIONS FOR DB2 FOR Z/OS COMMON PRODUCT SERVICES COMPONENT Common Services CA ECOMETER SERVER COMPONENT FOC Easytrieve Report Generator for Common Services INFOCAI MAINTENANCE IPC UNICENTER JCLCHECK COMMON COMPONENT Mainframe VM Product Manager CHORUS SOFTWARE MANAGER CA ON DEMAND PORTAL CA Service Desk Manager - Unified Self Service PAM CLIENT FOR LINUX ON MAINFRAME MAINFRAME CONNECTOR FOR LINUX ON MAINFRAME GRAPHICAL MANAGEMENT INTERFACE WEB ADMINISTRATOR FOR TOP SECRET Xpertware Top Secret Top Secret - LDAP Top Secret - VSE

Issue/Introduction

Description:

When adding an Entrust Digital Certificate to the CA Top Secret Security File via: 

 TSS ADD(certauth) DIGICERT(CERTA) DCDSN(mvs.dataset) PKCSPASS(password) TRUST

command, the following error message is received: 

 TSS0942I INVALID CERTIFICATE DATA - PROCESSING                             
 TSS0301I  ADD      FUNCTION FAILED, RETURN CODE =  4

Solution:

Certificates signed by the Entrust-L1B CA certificate have distinguished names that exceed the current length supported by the three major mainframe security products, to date.

The CA Top Secret product, at the proper maintenance level, currently supports up to 4096-bit RSA keys. The CA Top Secret product also supports the 2048-bit RSA keys necessary to meet the NIST requirement.

The problem is any certificate signed by the Entrust-L1B CA certificate has a serial number - issuers distinguished name combination exceeding the length supported by the three mainframe security solutions.

Customers that have obtained certificates signed by the L1B CA certificate should contact Entrust and obtain a chain certificate that complies with the current constraints set by the external security managers on z/OS (currently 246 for the serialnumber.IDN combination and 255 for the SDN). Certificates that are signed by the Entrust-L1B CA certificate cannot currently be stored in any Mainframe security product.

Environment

Release:
Component: AWAGNT
Powered by Wolken Software