z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


EZD1035I

z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)
SC27-3655-01

EZD1035I
Certificate cannot be used for RSA signature mode of authentication

Explanation

IKE encountered a certificate that cannot be used for RSA signature mode of authentication; the IKE daemon currently supports only RSA signing IKEv1.

Additional diagnostic messages that have the same message instance number will be issued to identify the impacted Security Association (SA). The message instance number precedes the message number in the log output and is used to group related messages from the IKE daemon.

System action

The certificate cannot be used and the negotiation will fail if the certificate is an end-entity certificate; IKE daemon processing continues.

Operator response

Contact the system programmer.

System programmer response

Notify the administrator of the remote security endpoint about the error and ask the administrator to verify that certificate sent to the IKE daemon for IKEv1 are using RSA signature mode. The administrator of the remote security endpoint should also verify that the key usage and the extended key usage extensions of the certificates that were sent support the creation and verification of digital signatures in an IKE flow. When the key usage extension is present, either the digital signature bit or the nonrepudiation bit must be set. When the key usage extension is present it must allow either any usage or usage with IKE.

Module

pki390.cpp

Procedure name

None.

Parent topic: EZD1xxxx messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014