Question & Answer
Question
During the AT-TLS initial handshake, error message EZD1286I or EZD1287I is issued, specifying return code 428, which indicates that the key entry does not contain a private key. How do we resolve this problem?
Answer
One possibility is that ICSF changes were made while the TCP/IP stack was running, or TCP/IP was started prior to starting ICSF. As a result, these changes were not picked up by AT-TLS.
In that scenario, AT-TLS connections will fail with message EZD1286I or EZD1287I with return code of 428 if the private key of the certificate is stored in ICSF.
To prevent this problem from recurring in the future, ensure that ICSF completes initialization prior to the AT-TLS TTLSGroup being started. TTLSGroups are started when the Policy Agent installs the AT-TLS policy.
To resolve the current problem and get AT-TLS to pick up the ICSF changes that were made, perform the following steps:
1.Update the GroupUserInstance n value in the TTLSGroupAction block of your AT-TLS policy for each group that needs to use the new ICSF configuration.
2.Issue the F PAGENT_PROC,UPDATE console command to get AT-TLS to pick up these new changes from ICSF. Issuing this command is not necessary if you start Policy Agent with the -i parameter, which automatically picks up changes to the configuration.
3.Check your TCPIP joblog for new instances of the following messages (these messages might vary depending on the ICSF configuration):
System SSL: SHA-1 crypto assist is available
System SSL: SHA-224 crypto assist is available
System SSL: SHA-256 crypto assist is available
System SSL: SHA-384 crypto assist is available
System SSL: SHA-512 crypto assist is available
System SSL: DES crypto assist is available
System SSL: DES3 crypto assist is available
System SSL: AES 128-bit crypto assist is available
System SSL: AES 256-bit crypto assist is available
System SSL: ICSF FMID is HCRXXXX
System SSL: PCI cryptographic accelerator is not available
System SSL: PCIX cryptographic coprocessor is available
System SSL: Public key hardware support is available
After you see these messages in the TCPIP joblog, AT-TLS is using the new configuration from ICSF.
Product Synonym
ZOSCS COMMSERVER
Was this topic helpful?
Document Information
Modified date:
06 July 2015
UID
dwa1200691