Why is zOS IPSEC tunnel negotiation failing after adding new IKE peer certificate?

Question & Answer

Question

zOS IPSEC peer Phase1/IKE_SA negotiation fails after a new certificate was installed on one of the peer hosts. The following error is seen in the receivers IKE debug (LOCAL4) SYSLOGD output after the peer host had sent it's certificate in the certificate payload:

EZD1800I Remote security endpoint at x.x.x.x port 500 is using a digital signature for authentication but did not send its certificate in a certificate payload

Answer

The new certificate that was installed on the peer IKE host contained the basic constraints certificate extension, which is not supported in zOS IKE when the certificate is used to create digital signatures.

the issue is resolved by creating a new certificate without the basic constraints extension included

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

ZOSCS COMMSERVER

Was this topic helpful?

Document Information

Modified date:
30 April 2019

UID

dwa1503148

Tips