IBM Support

Why are AT-TLS connections failing with EZD1286I or EZD1287I, with return code of 428?

Question & Answer


Question

During the AT-TLS initial handshake, error message EZD1286I or EZD1287I is issued, specifying return code 428, which indicates that the key entry does not contain a private key. How do we resolve this problem?

Answer

One possibility is that ICSF changes were made while the TCP/IP stack was running, or TCP/IP was started prior to starting ICSF. As a result, these changes were not picked up by AT-TLS.

In that scenario, AT-TLS connections will fail with message EZD1286I or EZD1287I with return code of 428 if the private key of the certificate is stored in ICSF.

To prevent this problem from recurring in the future, ensure that ICSF completes initialization prior to the AT-TLS TTLSGroup being started. TTLSGroups are started when the Policy Agent installs the AT-TLS policy.

To resolve the current problem and get AT-TLS to pick up the ICSF changes that were made, perform the following steps:

1.Update the GroupUserInstance n value in the TTLSGroupAction block of your AT-TLS policy for each group that needs to use the new ICSF configuration.

2.Issue the F PAGENT_PROC,UPDATE console command to get AT-TLS to pick up these new changes from ICSF. Issuing this command is not necessary if you start Policy Agent with the -i parameter, which automatically picks up changes to the configuration.

3.Check your TCPIP joblog for new instances of the following messages (these messages might vary depending on the ICSF configuration):

 System SSL: SHA-1 crypto assist is available 
 System SSL: SHA-224 crypto assist is available 
 System SSL: SHA-256 crypto assist is available 
 System SSL: SHA-384 crypto assist is available 
 System SSL: SHA-512 crypto assist is available 
 System SSL: DES crypto assist is available 
 System SSL: DES3 crypto assist is available 
 System SSL: AES 128-bit crypto assist is available 
 System SSL: AES 256-bit crypto assist is available 
 System SSL: ICSF FMID is HCRXXXX 
 System SSL: PCI cryptographic accelerator is not available 
 System SSL: PCIX cryptographic coprocessor is available 
 System SSL: Public key hardware support is available

After you see these messages in the TCPIP joblog, AT-TLS is using the new configuration from ICSF.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

ZOSCS COMMSERVER

Document Information

Modified date:
06 July 2015

UID

dwa1200691

Page Feedback