We are applying Keyring to CA-LDAP server and this is the error in the log. STC fails with RC=256

Document ID:  TEC1700072
Last Modified Date:  06/08/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details

Products

  • CA ACF2 for z/OS

Components

  • CA LDAP Server:LDAPDV
Problem:

We are implementing SSL security to the CA LDAP server.  We added a keyring in CA ACF2

KEYRING / LDAP.RING LAST CHANGED BY SECADM ON mm/dd/yy-hh:mm 
DEFAULT(ACF2LDAP.CERT) RINGNAME(LDAPRING) 

In the LDAP parameters, we added the ringname

TLSKeyringName STCLDAP/LDAPRING    <=== STCLDAP is the started task name of the server

When we start the STC, it fails with RC=256.  We see this error in the STDERR.

TLS: could not initialize environment handle. 
TLS: Error detected while opening the certificate database 
main: TLS init def ctx failed: -1 

The OMVS SECTRACE shows:

N 4000000 YYYY 17158 10:04:07.48 S0100008 00000094 CAS2206I Function=DataGetFirst ,Userid=STCLDAP 
N 4000000 YYYY 17158 10:04:07.48 S0100008 00000094 CAS2206I Ring Name=LDAPRING 
N 4000000 YYYY 17158 10:04:07.49 S0100008 00000094 CAS2205I REQUEST=R_datalib ,EXIT=POST,RC=8/8:84 

N 4000000 YYYY 17158 10:04:07.49 S0100008 00000094 CAS2205I REQUEST=R_datalib ,EXIT=PRE ,RC=N/A  

 

Environment:
CA ACF2 CA LDAP z/OS
Cause:

The normal convention used in naming the KEYRING record is the owner is specified.  The owner would be the logonid used

KEYRING / STCLDAP.RING LAST CHANGED BY SECADM ON mm/dd/yy-hh:mm 
DEFAULT(ACF2LDAP.CERT) RINGNAME(LDAPRING) 

But in this case, the name chosen was LDAP.RING, not STCLDAP.RING

KEYRING / LDAP.RING LAST CHANGED BY SECADM ON mm/dd/yy-hh:mm 
DEFAULT(ACF2LDAP.CERT) RINGNAME(LDAPRING)

Resolution:

There are two choices.  One is to have a keyring record with the real owner:

KEYRING / STCLDAP.RING LAST CHANGED BY SECADM ON mm/dd/yy-hh:mm 

DEFAULT(ACF2LDAP.CERT) RINGNAME(LDAPRING) 

 

The other choice is to correct the LDAP parameters and have the owner of the keyring;

TLSKeyringName LDAP/LDAPRING

 

Additional Information:

The same problem would have occurred if only the ringname was specified in the LDAP parms, which is valid to do.

TLSKeyringName  LDAPRING

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255

{{status}}

Not what you were looking for?

Search Again >

Product Information

Support by Product >

Communities

Join a Community >