GSK_ERR_UNKNOWN_CA CLIENT_ERROR RC=1B3 and AEXZ when establishing SSL connection between CICS and a DataPower server

Question & Answer

Question

Why am I receiving GSK_ERR_UNKNOWN_CA CLIENT_ERROR GSK_RETURN_CODE(1B3) and an abend AEXZ when I try to establish an SSL connection between CICS Transaction Server for z/OS (CICS TS) and a DataPower server?

I am receiving the following CICS exception trace entry,

 SO 080C SOSE  *EXC* - SYSTEM_SSL_ERROR GSK_RESPONSE(GSK_ERR_UNKNOWN_CA)
 FUNCTION(SECURE_SOC_INIT) RESPONSE(EXCEPTION) REASON (CLIENT_ERROR) GSK_RETURN_CODE(1B3)
 CERTIFICATE_USERID()  CIPHER_SELECTED()

For the reason, shown as Client Error, is that pointing to the distributed system sending the error or is that something coming out of the z/OS system?

Answer

From the SSL trace, I am able to tell the client is able to be authenticated without problems. The remote server sends a CERTIFICATE-REQUEST in order to request Client Authentication. Because the CERTIFICATE-REQUEST doesn't contain a valid list CA Names the client then sends an Alert 47 and closes the connection.

The solution is to set Send Client CA List to ON in the Crypto Profile on your Datapower server. And ensure the reverse Crypto profiles add Validation Credentials. See Creating an SSL server profile in the DataPower documentation for more details.

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"SSL","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

CICS/TS CICSTS CICS TS CICS Transaction Server

Was this topic helpful?

Document Information

Modified date:
06 August 2015

UID

dwa1205753

Tips