IBM Support

FDC1015I: An FFDC Incident has been created: "java.io.IOException: R_datalib (IRRSDL00) error: profile for ring not found (8, 8, 84)

Question & Answer


Question

I have a z/OS Connect Enterprise Edition (zCEE) V3 liberty server running in one LPAR which is configured to connect to a CICS Transaction Server for z/OS (CICS TS) region in another LPAR using SSL enabled IPIC connection. My zCEE server gets message:

9/22/17 16:40:54:915 GMT] 00000018 com.ibm.ws.logging.internal.impl. IncidentImpl I FFDC1015I: An FFDC Incident has been created: "java.io.IOException: R_datalib (IRRSDL00) error: profile for ring not found (8, 8, 84) com.ibm.ws.ssl.config.WSKeyStore$1 do_getKeyStore" at ffdc_17.09.22_16.40.54.0.log

Should I have to add the connecting CICS regions also to the keyring setup in the zCEE LPAR?

Answer

The RACF return and reason codes 8,8,84 from message FFDC1015I are described as follows in table 2 of topic Return and reason codes in the z/OS V2.3 documentation:

In this instance, there were separate RACF databases in each LPAR which is why the zCEE server was issuing the R_Datalib messages because the CICS userids for the CICS service provide IPIC connections were not defined on the zCEE LPAR's RACF database.

You can either replicate the CICS userids in the RACF data base for each LPAR where they are accessed, or, you can create a single CICS userid that is defined in each RACF database that references the SSLRING owned by that CICS userid.

For example, if you would like to have the embedded Liberty z/OS server to use a single keyring owned by a single userid containing the correct intermediate and signer certificates needed to make an outbound SSL call to all remote CICS severs, then, all CICS connect servers need to have their personal certificates signed by the same intermediate or root signer certificate.

This should be possible with the following update to the server.xml:

  1. Define a single keyStore owned by userid CICSxxxx which references the keyring owned by that userid. <keyStore filebased="false" id="racfKeyStore"location="safkeyring://CICSxxxx/keyring" password="password"readOnly="true" type="JCERACFKS"/>

  2. Modify all the <zosconnect_cicsIpicConnection tags sslCertsRef tags to point to this keystore sslCertsRef="racfKeyStore"

The following must exist in all RACF databases:

RACDCERT LISTRING(<keyring>) ID(CICSxxxx) Ring: ><keyring><

 Certificate Label Name             Cert Owner     USAGE      DEFAULT
 --------------------------------   ------------   --------   -------
 ROOTSigner                         CERTAUTH       CERTAUTH     NO
 IntermediateSigner(s)              CERTAUTH       CERTAUTH     NO
 YourSiteCert                       SITE           PERSONAL     YES
 ---------------
  • Change ROOTSigner to be the sites root signer certifcate

  • Change IntermediateSigner to be the intermediate signer

  • There may be more than 1 IntermediateSigner

Bill Bulfin
IBM zCEE Level2 Support

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSNPJM","label":"IBM z\/OS Connect"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

CICS/TS CICSTS CICS TS CICS Transaction Server;zCEE

Document Information

Modified date:
14 February 2023

UID

dwa1422909