FTP using with KEYRING referencing a UNIX certificate data base fails after conversion to AT/TLS

Question & Answer

Question

The z/OS FTP (client or server) has been configured to use native SSL/TLS (TLSMECHANISM FTP) with the KEYRING statement referencing a UNIX file for the certificate data base (ie, generated with the gskkyman command). After converting the configuration to use AT/TLS policies (TLSMECHANISM ATTLS), attempts to use FTP fail after the AUTH TLS command is sent/received. Messages include

EDC8121I Connection reset
EZD1286I TTLS Error ... RC: 202 Environment Master Init 00000000
EZD1286I TTLS Error ... RC: 5006 Initial Handshake 00000000 00000000

Answer

When specifying a UNIX file in the TTLSKeyRingParms block for the Keyring value, you must also specify either the KeyringPw or the KeyringStashFile value. When FTP was using native SSL, it would automatically reference the associated stash file as well with the assumption that its name was the same as the certificate data base except for the type specification (.sth in place of .kdb). TTLS policies do not make that assumption allowing arbitrary name or even direct specification of the password. But that means that one of these is needed before the data base can be opened.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

ZOSCS COMMSERVER

Was this topic helpful?

Document Information

Modified date:
24 August 2016

UID

dwa1297846

Tips