Question & Answer
Question
The z/OS FTP (client or server) has been configured to use native SSL/TLS (TLSMECHANISM FTP) with the KEYRING statement referencing a UNIX file for the certificate data base (ie, generated with the gskkyman command). After converting the configuration to use AT/TLS policies (TLSMECHANISM ATTLS), attempts to use FTP fail after the AUTH TLS command is sent/received. Messages include
EDC8121I Connection reset
EZD1286I TTLS Error ... RC: 202 Environment Master Init 00000000
EZD1286I TTLS Error ... RC: 5006 Initial Handshake 00000000 00000000
Answer
When specifying a UNIX file in the TTLSKeyRingParms block for the Keyring value, you must also specify either the KeyringPw or the KeyringStashFile value. When FTP was using native SSL, it would automatically reference the associated stash file as well with the assumption that its name was the same as the certificate data base except for the type specification (.sth in place of .kdb). TTLS policies do not make that assumption allowing arbitrary name or even direct specification of the password. But that means that one of these is needed before the data base can be opened.
Product Synonym
ZOSCS COMMSERVER
Was this topic helpful?
Document Information
Modified date:
24 August 2016
UID
dwa1297846