IBM Support

Why is bind of LU-LU session using VTAM session level encryption failing with sense code 08480000?

Question & Answer


Question

We are getting these error messages:

 IST663I  BIND FAIL  REQUEST RECEIVED, SENSE=08480000  
 IST664I  REAL  OLU=olu_name   REAL DLU=dlu_name 
 IST889I  SID=sid                                     
 IST891I  GENERATED FAILURE NOTIFICATION  
 IST893I  ORIGINAL FAILING REQUEST IS BIND                           
 IST314I  END

Here is the VTAM security configuration:

  1. Set the VTAM start option ENCRYPTN=CCA.

  2. Specified ENCRTYPE=TDES24 and ENCR=REQD on the application major node.

  3. The application seed key in the CKDS is defined as TYPE data.

  4. ICSF installation/setup on both MVS images.

  5. ICSF Master keys are defined to both systems.

  6. CDRM Importer/exporter keys are set up on both systems, where the IMPORTER key on one system matches the EXPORTER on the OTHER system.

Answer

Sense code 08480000 indicates Cryptography function inoperative: The receiver of a request was not able to decipher the request because of a malfunction in its cryptography facility.

In VTAM session-level encryption, importer and exporter keys can be either single (8) or double (16) length. There is an importer-exporter key pair defined at each end of this bind. The importer key is used to encrypt the DATA
key and the exporter key is used to decrypt it at the other end. The customer creates the importer-exporter key pair, then passes the IMPORTER key to VTAM on the BIND. VTAM internally generates the triple length DATA key, using the Key Generate callable service.

In this particular situation, the session using VTAM session level encryption is an application-to-application session on the same host. The application major node is specifying ENCRTYPE=TDES24, indicating that VTAM is requested to generate a triple length (24-byte) DATA key for Triple DES.

But the Bind received by VTAM in this situation invalidly contains a DATA key, instead of an IMPORTER key. VTAM calls CRYPTO but CRYPTO is expecting an IMPORTER key instead of a DATA key. As a result, VTAM fails the session with sense code 08480000. The bind contains a DATA key because the application seed key in the CKDS was defined as type DATA.

To resolve this problem, change the application seed key in the CKDS from type DATA to type IMPORTER -
defaulting to length 8.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

ZOSCS COMMSERVER

Document Information

Modified date:
11 September 2015

UID

dwa1213533

Page Feedback