[prev in list] [next in list] [prev in thread] [next in thread]
List: racf-l
Subject: Re: FC0994 authServer: secure_socket_init failed with rc = 428 (Key entry does not contain a private
From: Wai Choi <wchoi () US ! IBM ! COM>
Date: 2014-12-23 23:43:30
Message-ID: OFD21A03B8.5BF1ADCB-ON85257DB7.007EFACD-85257DB7.0082541E () us ! ibm ! com
[Download RAW message or body]
John,
Your set up showed that the certificate owner (thus the private key owner)
and the ring owner is the user TEST. But FTPD is the id to access the
ring, the certificate and the private key. The problem is that the private
key owned by a personal ID CANNOT be accessed by a different ID under the
FACILITY class, even you have CONTROL to all IRR.DIGTCERT.* (specifically,
IRR.DIGTCERT.LISTRING and IRR.DIGTCERT.GENCERT). It will work if
a) TEST is the id used in the ftp process, OR
b) the certificate owner is either SITE or CERTAUTH, not a personal ID, OR
c) use the profile <ring owner>.<ring name>.LST in the RDATALIB class to
control the access to the ring/certificate/private key, instead of the
FACILITY class. In your case, give ID FTPD UPDATE access to profile
TEST.JPMCACO.TEST.LST in the RDATALIB class. The control from RDATALIB
provides granularity, the access only applies to a certain key ring,
unlike the FACILITY class in which the access applies to ALL the keyrings.
For details, you may look at the Usage Notes of the R_datalib callable
service in the RACF Callable Services book.
Wai Choi - RACF/PKI Design and Development
From: John Mattson <johnmattson.it@GMAIL.COM>
To: RACF-L@LISTSERV.UGA.EDU
Date: 12/19/2014 09:12 PM
Subject: Re: FC0994 authServer: secure_socket_init failed with rc =
428 (Key entry does not contain a private key)
Sent by: RACF Discussion List <RACF-L@LISTSERV.UGA.EDU>
Thank-you all for your suggestions. Unfortunately, still not working.
For the record we are only going from zOS to the Linux with AXWAY Secure
Transport 5.5
1) Both the FTPD and my userid have CONTROL auth to all IRR.DIGICERT.*
resources. No luck there.
2) My SS Cert has a private key, and looks properly set up as default on
the ring (see below)
3) I double checked with the vendor and they have my public key in place
4) We both double checked firewall access, even tho the connection
certainly is good enough to try to check the CERT, so that looks good
5) As to TLS 1.0, we have many other connections to many vendors which
work
just fine. Indeed we work fine going to the Prod server on this vendor's
network.
We get the following message in the GSK trace ....
12/18/2014-12:05:06 Thd-0 ERROR gsk_get_local_certificates(): Record
'ACCORD JPMC CERT TEST' does not have a private key
But the cert is clearly a private key
racdcert id(TEST) list(label('ACCORD JPMC CERT TEST'))
Digital certificate information for user TEST:
Label: ACCORD JPMC CERT TEST
Certificate ID: 2QTjxeLjwcPD1tnEQNHX1MNAw8XZ40DjxeLj
Status: TRUST
Start Date: 2014/12/09 00:00:00
End Date: 2016/10/23 00:00:00
Serial Number:
>00<
Issuer's Name:
>CN=requests_eiso_provisioning@ahm.honda.com.T=HNA ISD TEST.O=Honda
No<
>rth America, Inc.L=Torrance.SP=CA.C=US<
Subject's Name:
>CN=requests_eiso_provisioning@ahm.honda.com.T=HNA ISD TEST.O=Honda
No<
>rth America, Inc.L=Torrance.SP=CA.C=US<
Key Usage: HANDSHAKE, DATAENCRYPT
Private Key Type: Non-ICSF
Private Key Size: 2048
Ring Associations:
Ring Owner: TEST
Ring:
>JPMCACO.TEST<
And our ring is set up properly as best I understand it.
racdcert id(TEST) listring(JPMCACO.TEST)
Digital ring information for user TEST:
Ring:
>JPMCACO.TEST<
Certificate Label Name Cert Owner USAGE DEFAULT
-------------------------------- ------------ -------- -------
JPM CHASE TSS1S032 CA 2011_03_04 CERTAUTH CERTAUTH NO
JPTEST TSS1S032 ID(CJ00) SITE NO
ACCORD JPMC CERT TEST ID(TEST) PERSONAL YES
JPMCHA1A CERTAUTH CERTAUTH NO
JPMCHA2A CERTAUTH CERTAUTH NO
JPMCHA1B SITE SITE NO
JPMCHA2B SITE SITE NO
UTN HW CA RVIERREGGER CERTAUTH CERTAUTH NO
B001-CERTAUTH CERTAUTH CERTAUTH NO
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic