z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


EZD1905I

z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)
SC27-3655-01

EZD1905I
IKE version version tunnel activation for stackname using KeyExchangeRule kername requires the NSS certificate service but the service is not available - return code = retcode

Explanation

The Internet Key Exchange (IKE) daemon is unable to activate an IKE tunnel because the required NSS certificate service is not available.

In the message text:
version
The version of the IKE protocol being used to activate the tunnel.
stackname
The name of the TCP/IP stack for which the IKE tunnel is being activated.
kername
The name of the KeyExchangeRule being used for this IKE tunnel activation attempt.
retcode
The reason why the required certificate service is unavailable. Possible values are:
-1
The stack is not configured as an NSS client.
-2
The stack is configured as an NSS client but is not configured for the certificate service.
-3
The stack is connected to an NSS server but the stack is not authorized to use the certificate service.
-4
The stack is connected to an NSS server that does not support advanced PKI certificate services.

The NSS certificate service is required for all IKEv2 tunnel activation requests that use an authentication method other than PresharedKey. For example, if the KeyExchangeAction statement for the specified KeyExchangeRule has HowToInitiate IKEv2 and HowToAuthMe RSASignature, the NSS certificate service is required to activate the IKE tunnel.

System action

This tunnel activation attempt fails. IKE daemon processing continues.

Operator response

None.

System programmer response

The appropriate corrective action depends on the retcode value in the message:
-1
Configure the stack as an NSS client that requests NSS certificate services.
-2
Configure the stack as an NSS client that requests NSS certificate services.
-3
Notify the system programmer of the NSS server to provide authorization to the stack for network security certificate services.
-4
Change the configuration of the IKE daemon to connect to an NSS server that does support advanced PKI certificate services; for example, an NSS server on a z/OS® V1R12 system.

See the information about IP security in z/OS Communications Server: IP Configuration Guide for information about network security certificate services.

User response

Not applicable.

Problem determination

Not applicable.

Source

z/OS Communications Server TCP/IP: IKE daemon

Module

anchor_ureq.cpp

Routing code

11

Descriptor code

7

Automation

This message is output to syslog.

Example

EZD1905I IKE version 2.0 tunnel activation for TCPCS2 using KeyExchangeRule IKEV2-SA1-TCP requires the NSS 
         certificate service but the service is not available - return code = -1
Parent topic: EZD1xxxx messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014