IBM Support

SSL RC 435 from function 'gsk_secure_socket_init'

Troubleshooting


Problem

Your CICS Transaction Server for z/OS (CICS TS) Web services SSL request fails with: DFHSO0123 Return code 435 received from function 'gsk_secure_socket_init' of System SSL. Reason: Untrusted Certificate Authority.

Symptom

DFHSO0123 Return code 435 received from function 'gsk_secure_socket_init' of System SSL.
Reason: Untrusted Certificate Authority.

Cause

There can be several reasons for the error:

  • The certificate was added to the keyring after CICS TS was started
  • Changes were made to the certificate, like marking it trusted and CICS TS wasn't restarted
  • If RACF classes DIGTCERT and DIGTRING are raclisted, then a SETROPTS RACLIST(DIGTCERT DIGTRING) REFRESH was not done after adding or changing the certificates, followed by a restart of CICS TS

Diagnosing The Problem

Return code 435 from gsk_secure_socket_init means:
Certification authority is unknown.
Explanation: The key database does not contain a certificate for the certification authority.
User response: Obtain the certificate for the certification authority and add it to the key database. When using a SAF key ring, the CA certificate must be TRUSTed.

APAR PK35216 was created for CICS TS V3.1 to have CICS correctly interpret the return code 435 as Unknown Certificate Authority instead of Untrusted Certificate Authority. This has been corrected beginning with CICS TS V3.2.

You can test your basic Web SSL setup in CICS TS fom a Web browser using the CICS Web Bridge:


    HTTPS://ipaddr:port/CICS/CWBA/DFHWBTTC/tran

where ipaddr is your z/OS host ip address, port is the PORTNUMBER specified on your TCPIPSERVICE definition, and tran is a 3270 transaction id like CEMT.

A CICS trace for the DFHSO0123 message will show:
    SO 080C SOSE "EXC" SYSTEM_SSL_ERROR GSK_ERR_UNKNOWN_CA, SECURE_SOC_INIT, EXCEPTION, CLIENT_ERROR, 1B3

If you need to gather an SSL trace, see the z/OS Cryptographic Services System Secure Sockets Layer Programming documentation for configuring the SSL started task (GSK Server) and Obtaining Diagnostic Information. The steps for Capturing Component Trace Data are summarized here, but refer to the documentation for additional information:
  1. S GSKSRVR
  2. Restart CICS.
  3. Update GSKWTR PROC to add a dataset to hold the trace.
  4. TRACE CT,WTRSTART=GSKWTR
  5. TRACE CT,ON,COMP=GSKSRVR
  6. R n,JOBNAME=(yyy),OPTIONS=(LEVEL=255),WTR=GSKWTR,END
    where yyy is the name of CICS.
  7. Recreate the problem.
  8. TRACE CT,OFF,COMP=GSKSRVR
  9. TRACE CT,WTRSTOP=GSKWTR

Resolving The Problem

Check the following:

  • Ensure that every Certificate Authority (CA) certificate that signed their certificate is in the keyring specified in KEYRING parameter in the System Initialization Table (SIT).
  • The CA certificates must be in RACF as a trusted certificate and in the CICS keyring with usage CERTAUTH.
  • Issue SETROPTS RACLIST(DIGTCERT DIGTRING) REFRESH and restart CICS.

[{"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Secure Sockets Layer","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"4.1;4.2;5.1;5.2;5.3;5.4","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

CICS/TS CICS TS CICS Transaction Server

Document Information

Modified date:
21 June 2018

UID

swg21285004

Page Feedback