Troubleshooting
Problem
Your CICS Transaction Server for z/OS (CICS TS) Web services SSL request fails with: DFHSO0123 Return code 435 received from function 'gsk_secure_socket_init' of System SSL. Reason: Untrusted Certificate Authority.
Symptom
DFHSO0123 Return code 435 received from function 'gsk_secure_socket_init' of System SSL.
Reason: Untrusted Certificate Authority.
Cause
There can be several reasons for the error:
- The certificate was added to the keyring after CICS TS was started
- Changes were made to the certificate, like marking it trusted and CICS TS wasn't restarted
- If RACF classes DIGTCERT and DIGTRING are raclisted, then a SETROPTS RACLIST(DIGTCERT DIGTRING) REFRESH was not done after adding or changing the certificates, followed by a restart of CICS TS
Diagnosing The Problem
Return code 435 from gsk_secure_socket_init means:
Certification authority is unknown.
Explanation: The key database does not contain a certificate for the certification authority.
User response: Obtain the certificate for the certification authority and add it to the key database. When using a SAF key ring, the CA certificate must be TRUSTed.
APAR PK35216 was created for CICS TS V3.1 to have CICS correctly interpret the return code 435 as Unknown Certificate Authority instead of Untrusted Certificate Authority. This has been corrected beginning with CICS TS V3.2.
You can test your basic Web SSL setup in CICS TS fom a Web browser using the CICS Web Bridge:
HTTPS://ipaddr:port/CICS/CWBA/DFHWBTTC/tran
where ipaddr is your z/OS host ip address, port is the PORTNUMBER specified on your TCPIPSERVICE definition, and tran is a 3270 transaction id like CEMT.
A CICS trace for the DFHSO0123 message will show:
- SO 080C SOSE "EXC" SYSTEM_SSL_ERROR GSK_ERR_UNKNOWN_CA, SECURE_SOC_INIT, EXCEPTION, CLIENT_ERROR, 1B3
- S GSKSRVR
- Restart CICS.
- Update GSKWTR PROC to add a dataset to hold the trace.
- TRACE CT,WTRSTART=GSKWTR
- TRACE CT,ON,COMP=GSKSRVR
- R n,JOBNAME=(yyy),OPTIONS=(LEVEL=255),WTR=GSKWTR,END
where yyy is the name of CICS. - Recreate the problem.
- TRACE CT,OFF,COMP=GSKSRVR
- TRACE CT,WTRSTOP=GSKWTR
Resolving The Problem
Check the following:
- Ensure that every Certificate Authority (CA) certificate that signed their certificate is in the keyring specified in KEYRING parameter in the System Initialization Table (SIT).
- The CA certificates must be in RACF as a trusted certificate and in the CICS keyring with usage CERTAUTH.
- Issue SETROPTS RACLIST(DIGTCERT DIGTRING) REFRESH and restart CICS.
Product Synonym
CICS/TS CICS TS CICS Transaction Server
Was this topic helpful?
Document Information
Modified date:
21 June 2018
UID
swg21285004