Secure Sockets Layer (SSL) and Transport Layer Security (TLS) return codes
WebSphere MQ can use Secure Sockets Layer (SSL) with the various communication protocols. Use this topic to identify the error codes that can be returned by SSL.
The table in this appendix documents the return codes, in decimal form, from the Secure Sockets Layer (SSL) that can be returned in messages from the distributed queuing component.
| Return code (decimal) | Explanation |
|---|---|
| 1 | Handle is not valid. |
| 3 | An internal error has occurred. |
| 4 | Insufficient storage is available |
| 5 | Handle is in the incorrect state. |
| 6 | Key label is not found. |
| 7 | No certificates available. |
| 8 | Certificate validation error. |
| 9 | Cryptographic processing error. |
| 10 | ASN processing error. |
| 11 | LDAP processing error. |
| 12 | An unexpected error has occurred. |
| 102 | Error detected while reading key database or SAF key ring. |
| 103 | Incorrect key database record format. |
| 106 | Incorrect key database password. |
| 109 | No certificate authority certificates. |
| 201 | No key database password supplied. |
| 202 | Error detected while opening the key database. |
| 203 | Unable to generate temporary key pair |
| 204 | Key database password is expired. |
| 302 | Connection is active. |
| 401 | Certificate is expired or is not valid yet. |
| 402 | No SSL cipher specifications. |
| 403 | No certificate received from partner. |
| 405 | Certificate format is not supported. |
| 406 | Error while reading or writing data. |
| 407 | Key label does not exist. |
| 408 | Key database password is not correct. |
| 410 | SSL message format is incorrect. |
| 411 | Message authentication code is incorrect. |
| 412 | SSL protocol or certificate type is not supported. |
| 413 | Certificate signature is incorrect. |
| 414 | Certificate is not valid. |
| 415 | SSL protocol violation. |
| 416 | Permission denied. |
| 417 | Self-signed certificate cannot be validated. |
| 420 | Socket closed by remote partner. |
| 421 | SSL V2 cipher is not valid. |
| 422 | SSL V3 cipher is not valid. |
| 427 | LDAP is not available. |
| 428 | Key entry does not contain a private key. |
| 429 | SSL V2 header is not valid. |
| 431 | Certificate is revoked. |
| 432 | Session renegotiation is not allowed. |
| 433 | Key exceeds allowable export size. |
| 434 | Certificate key is not compatible with cipher suite. |
| 435 | Certificate authority is unknown. |
| 436 | Certificate revocation list cannot be processed. |
| 437 | Connection closed. |
| 438 | Internal error reported by remote partner. |
| 439 | Unknown alert received from remote partner. |
| 501 | Buffer size is not valid. |
| 502 | Socket request would block. |
| 503 | Socket read request would block. |
| 504 | Socket write request would block. |
| 505 | Record overflow. |
| 601 | Protocol is not SSL V3 or TLS V1. |
| 602 | Function identifier is not valid. |
| 701 | Attribute identifier is not valid. |
| 702 | The attribute has a negative length, which is invalid. |
| 703 | The enumeration value is invalid for the specified enumeration type. |
| 704 | Invalid parameter list for replacing the SID cache routines. |
| 705 | The value is not a valid number. |
| 706 | Conflicting parameters were set for additional certificate validation |
| 707 | The AES cryptographic algorithm is not supported. |
| 708 | The PEERID does not have the correct length. |
| 1501 | GSK_SC_OK |
| 1502 | GSK_SC_CANCEL |
| 1601 | The trace started successfully. |
| 1602 | The trace stopped successfully. |
| 1603 | No trace file was previously started so it cannot be stopped. |
| 1604 | Trace file already started so it cannot be started again. |
| 1605 | Trace file cannot be opened. The first parameter of gsk_start_trace() must be a valid full path filename. |
In some cases, the secure sockets library reports a certificate validation error in an AMQ9633 error message. Table 2 lists the certificate validation errors that can be returned in messages from the distributed queuing component.
| Return code (decimal) | Explanation |
|---|---|
| 575001 | Internal error |
| 575002 | ASN error due to a malformed certificate |
| 575003 | Cryptographic error |
| 575004 | Key database error |
| 575005 | Directory error |
| 575006 | Invalid implementation library |
| 575008 | No appropriate validator |
| 575009 | The root CA is not trusted |
| 575010 | No certificate chain was built |
| 575011 | Digital signature algorithm mismatch |
| 575012 | Digital signature mismatch |
| 575013 | X.509 version does not allow Key IDs |
| 575014 | X.509 version does not allow extensions |
| 575015 | Unknown X.509 certificate version |
| 575016 | The certificate validity range is invalid |
| 575017 | The certificate is not yet valid |
| 575018 | The certificate has expired |
| 575019 | The certificate contains unknown critical extensions |
| 575020 | The certificate contains duplicate extensions |
| 575021 | The issuers directory name does not match the issuer's issuer |
| 575022 | The Authority Key ID serial number value does not match the serial number of the issuer |
| 575023 | The Authority Key ID and Subject Key ID do not match |
| 575024 | Unrecognized issuer alternative name |
| 575025 | The certificate Basic Constraints forbid use as a CA |
| 575026 | The certificate has a non-zero Basic Constraints path length but is not a CA |
| 575027 | The certificate Basic Constraints maximum path length was exceeded |
| 575028 | The certificate is not permitted to sign other certificates |
| 575029 | The certificate is not signed by a CA |
| 575030 | Unrecognized Subject Alternative Name |
| 575031 | The certificate chain is invalid |
| 575032 | The certificate is revoked |
| 575033 | Unrecognized CRL distribution point |
| 575034 | Name chaining failed |
| 575035 | Certificate is not in a chain |
| 575036 | The CRL is not yet valid |
| 575037 | The CRL has expired |
| 575038 | The certificate version does not allow critical extensions |
| 575039 | Unknown CRL distribution points |
| 575040 | No CRLs for CRL distribution points |
| 575041 | Indirect CRLs are not supported |
| 575042 | Missing issuing CRL distribution point name |
| 575043 | Distribution points do not match |
| 575044 | No available CRL data source |
| 575045 | CA Subject name is null |
| 575046 | Distinguished names do not chain |
| 575047 | Missing Subject Alternative Name |
| 575048 | Unique ID mismatch |
| 575049 | Name not permitted |
| 575050 | Name excluded |
| 575051 | CA certificate is missing Critical Basic Constraints |
| 575052 | Name constraints are not critical |
| 575053 | Name constraints minimum subtree value if set is not zero |
| 575054 | Name constraints maximum subtree value if set is not allowed |
| 575055 | Unsupported name constraint |
| 575056 | Empty policy constraints |
| 575057 | Bad certificate policies |
| 575058 | Certificate policies not acceptable |
| 575059 | Bad acceptable certificate policies |
| 575060 | Certificate policy mappings are critical |
| 575061 | Revocation status could not be determined |
| 575062 | Extended key usage error |
| 575063 | Unknown OCSP version |
| 575064 | Unknown OCSP response |
| 575065 | Bad OCSP key usage extension |
| 575066 | Bad OCSP nonce |
| 575067 | Missing OCSP nonce |
| 575068 | No OCSP client available |
| 575069 | Policy not critical |
| 575070 | OCSP old but good |
| 575071 | OCSP old but revoked |
| 575072 | Incorrect curve |
| 575073 | Incorrect key size |
| 575074 | Incorrect signature algorithm |