Question & Answer
Question
I have a z/OS Connect Enterprise Edition (zCEE) V3 liberty server running in one LPAR which is configured to connect to a CICS Transaction Server for z/OS (CICS TS) region in another LPAR using SSL enabled IPIC connection. My zCEE server gets message:
9/22/17 16:40:54:915 GMT] 00000018 com.ibm.ws.logging.internal.impl. IncidentImpl I FFDC1015I: An FFDC Incident has been created: "java.io.IOException: R_datalib (IRRSDL00) error: profile for ring not found (8, 8, 84) com.ibm.ws.ssl.config.WSKeyStore$1 do_getKeyStore" at ffdc_17.09.22_16.40.54.0.log
Should I have to add the connecting CICS regions also to the keyring setup in the zCEE LPAR?
Answer
The RACF return and reason codes 8,8,84 from message FFDC1015I are described as follows in table 2 of topic Return and reason codes in the z/OS V2.3 documentation:
In this instance, there were separate RACF databases in each LPAR which is why the zCEE server was issuing the R_Datalib messages because the CICS userids for the CICS service provide IPIC connections were not defined on the zCEE LPAR's RACF database.
You can either replicate the CICS userids in the RACF data base for each LPAR where they are accessed, or, you can create a single CICS userid that is defined in each RACF database that references the SSLRING owned by that CICS userid.
For example, if you would like to have the embedded Liberty z/OS server to use a single keyring owned by a single userid containing the correct intermediate and signer certificates needed to make an outbound SSL call to all remote CICS severs, then, all CICS connect servers need to have their personal certificates signed by the same intermediate or root signer certificate.
This should be possible with the following update to the server.xml:
Define a single keyStore owned by userid CICSxxxx which references the keyring owned by that userid. <keyStore filebased="false" id="racfKeyStore"location="safkeyring://CICSxxxx/keyring" password="password"readOnly="true" type="JCERACFKS"/>
Modify all the <zosconnect_cicsIpicConnection tags sslCertsRef tags to point to this keystore sslCertsRef="racfKeyStore"
The following must exist in all RACF databases:
RACDCERT LISTRING(<keyring>) ID(CICSxxxx) Ring: ><keyring><
Certificate Label Name Cert Owner USAGE DEFAULT
-------------------------------- ------------ -------- -------
ROOTSigner CERTAUTH CERTAUTH NO
IntermediateSigner(s) CERTAUTH CERTAUTH NO
YourSiteCert SITE PERSONAL YES
---------------
Change ROOTSigner to be the sites root signer certifcate
Change IntermediateSigner to be the intermediate signer
There may be more than 1 IntermediateSigner
Bill Bulfin
IBM zCEE Level2 Support
Product Synonym
CICS/TS CICSTS CICS TS CICS Transaction Server;zCEE
Was this topic helpful?
Document Information
Modified date:
14 February 2023
UID
dwa1422909