CSNDDSG 8 2040 errors when setting up WS-Security

Troubleshooting

Problem

You are setting up CICS Transaction Server for z/OS (CICS TS) to use WS-Security. There are no messages issued but you find an exception trace entry that states: Web Service (requester) soapFault - wsse:InternalError, failure using WSSE (CSNDDSG rc=8 rs=2040).

Symptom

There are no errors logged but WS-Security does not work. You see a failure in the auxillary trace issued from DFHWSSE from the ICSF module, CSNDDSG. This is similar to APAR PM42688.

Diagnosing The Problem

You capture an auxillary trace and see trace entries:
PI 1204 WSSE EVENT - DATA DATA(ZosCryptoKeyRSA::signSHA1PKCSBase64Signature - CSNDDSG return code: = 8) PI 1204 WSSE EVENT - DATA DATA(ZosCryptoKeyRSA::signSHA1PKCSBase64Signature - CSNDDSG reason code: = 2040)

Resolving The Problem

If certificates are being used with WS-Security (for example signing or encryption) then the certificate MUST have a public key and the key must be managed by ICSF/PCICC. The key type must of of type 2 or 3.

The certificate should be owned by the CICS region userid (unless you follow the instructions added by PK83316 that are also in section Configuring RACF for Web Services Security in the CICS information center).

You may also need to consider Size Considerations for Private and Public Keys.

[{"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Web Services","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"4.1;4.2;5.1;5.2;5.3","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

CICS/TS CICS TS CICS Transaction Server

Was this topic helpful?

Document Information

Modified date:
15 June 2018

UID

swg21572408

Tips