Troubleshooting

Use the following table to help troubleshoot problems with Connect:Direct® Secure Plus:

Note: For all errors related to Strong Password Encryption, see SPE Problem Troubleshooting.
Problem Possible Cause Solution
System initialization failed, and the following SITA196E error message is displayed: FIPS Mode Requested but SECURE.DSN parameter is not specified. You specified the FIPS initialization parameter as YES, but you did not specify the SECURE.DSN parameter to enable Connect:Direct Secure Plus. Update the initialization parameters and restart IBM Connect:Direct.
System initialization failed, and the following error message is displayed: Connect;Direct FIPS keyword requires z/OS release 1.11 or later. Your current, active z/OS release level does not support FIPS mode for System SSL. Either update the FIPS initialization parameter to NO or execute IBM Connect:Direct on the appropriate release level of z/OS.
IBM Connect:Direct was terminated, and the following error message is displayed: Secure+ Severe FIPS Mode Error, &var1. During operation of a TLS FIPS mode request, a severe error occurred causing IBM Connect:Direct to terminate with a U4079 abend due to one of the following:
  • KEY database (not FIPS-mode)
  • Random number generation failure
  • RSA or DSA keypair generation failure
  • gsk_perform_kat API failure
Contact IBM Support or correct the error and restart IBM Connect:Direct .
The following message is received at startup: SITA166I or SITA167I Secure+ SSL or TLS initialization failed. rc=00000134, rs=NO DFLT UNIX PATH. The IBM Connect:Direct system does not have a default directory created for it in UNIX system services. The DLL files and other facilities related to SSL or TLS require the presence of a default UNIX directory. Contact your z/OS® system programmer.
The following message is received at startup: SITA166I Secure+ SSL or TLS initialization failed. rc=000000002, rs=GSK_KEYFILE_OPEN_ FAILED. The Connect:Direct Secure Plus parameter file, with the SECURE.SSL.PATH.PREFIX initialization parameter, specifies a nonexistent key database, the key database has incorrect file permissions, OR the PASSWORD typed IS INCORRECT. Correct the name specified in the initialization parameter or the Connect:Direct Secure Plus parameter file, the UNIX permissions, or the password.
The following message is received at startup or when IBM Connect:Direct performs a certificate validation check and discovers a certificate that will soon expire: CSPA600W WARNING Cert: &cert for Node: &node expires: &date. The named certificate will expire on the specified date.
Note: A message will not contain the node name if the certificate did not have a Connect:Direct Secure Plus parameter file record associated with it.
The warning message will appear based on the validation check controlled by the following initialization parameters, CHECK.CERT.EXPIRE, CHECK.CERT.WARN.DAYS and CHECK.CERT.EXPIRE.TIME. Take the appropriate action to generate or obtain a new certificate.
The following message is received at startup or when IBM Connect:Direct performs a certificate validation check and discovers that a certificate has expired: CSPA601E ERROR Cert: &cert for Node: &node expired on: &date. The named certificate has expired on the specified date.
Note: A message will not contain the node name if the certificate did not have one associated with it.
The warning message will appear based on the validation check controlled by the following initialization parameters, CHECK.CERT.EXPIRE. Take the appropriate action to generate or obtain a new certificate.
The following message is received at startup or when IBM Connect:Direct performs a certificate validation check and discovers a certificate it cannot validate: CSPA607W WARNING Cert: &cert for Node: &node does not exist. The Certificate Expiration Validation function has obtained a Certificate label for the Secure Parmfile however that certificate can not be retrieved.
Note: A message will not contain the node name if the certificate did not have one associated with it.
The most likely cause of this is the certificate does not exist in the Key database or Key ring. Ensure that the Certificate exist and that the Secure Parmfile entry specifies the correct label name. The label is case sensitive and must match exactly.
The following message is received when an SSL or TLS Process is run:

SSL or TLS handshake failure, reason= GSK_ERROR_SOCKET_CLOSED.

The trading partners have not enabled a matching cipher suite. Update the remote node record for the trading partner to enable a cipher suite recognized by the trading partner and resubmit the Process.
The following message is received:

CSPA202E SSL handshake failure, reason=GSK_ERROR_BAD_ CERTIFICATE.

The certificate is not valid on the system issuing GSK_ERROR_BAD_CERT. This error occurs if the certificate is not validated on any local trusted CA certificate.

This error is common if you use self-signed certificates because the remote IBM Connect:Direct system does not have the CA certificate.

Verify that each trading partner can validate the certificates of other trading partners and resubmit the Process.

Ensure that the remote node record for the trading partner has enabled the correct protocol.

The following error is received from the SNODE:

CSPA202E SSL or TLS handshake failure, reason=
GSK_ERROR_UNKNOWN_ERROR.

A conflict within the IBM System SSL toolkit occurred because a certificate being processed did not use version 3 of the toolkit. Ensure that all certificates and CA certificates are using version 3.
Connect:Direct Secure Plus features are enabled in the Connect:Direct Secure Plus parameter file, but the statistics record indicates that these functions are disabled. The IBM Connect:Direct network maps do not contain entries for the PNODE and SNODE.

The node that you are connecting with is a V1 flow (such as LU0 or Netex). Connect:Direct Secure Plus is not supported for V1 flows because of reliance on XDR support.

Verify that the network map entries for both the PNODE and the SNODE exist, and use a V2 protocol such as LU6.2 or TCP/IP. Check for the existence of the extended statistics record for Session Begin (the SB record). This record is only created in V2 flows. The absence of this record indicates V1 flows were used.
Connect:Direct Secure Plus parameters specified from the copy statement cause the copy step to fail with message CSPA077E. The node that you are connecting with is a V1 flow (such as LU0 or Netex). Connect:Direct Secure Plus is not supported for V1 flows because of reliance on XDR support. Check for the existence of the extended statistics record for Session Begin (the SB record). This record is only created in V2 flows. The absence of this record indicates V1 flows were used.
An error occurs in ESTAE with a bad return code (RC=3) when running a Process with a remote node and the Process fails. The value for Connect:Direct Secure Plus Export version is incorrect in the remote node definitions for one or both of the nodes. If one node is EXPORT and the other node is NOT EXPORT, the elliptic curves that enable you to create keys and generate Diffie-Hellman shared secrets are not correct. Verify that the remote node definitions on both sites accurately state the Connect:Direct Secure Plus Export information.
Running a Process with a remote node fails with an authentication error. Unique public/private key pairs are generated for the remote node record and the local node record is set to OVERRIDE=N. Change the local node record to OVERRIDE=Y or do not use unique public/private key pairs in the remote node record.
The Save Active option is not selectable. You can only use the Save Active function once each time you open the Connect:Direct Secure Plus parameter file. Reopen the Connect:Direct Secure Plus parameter file to use the Save Active function or use the Save As function.
The text entry fields on the Create/Update panel of the Secure+ Admin Tool are not visible. The CUA attributes in your ISPF profile are not set correctly. Change the value for Normal Text entry in the CUA attributes of the ISPF profile to uscore in the Highlight column.
The Connect:Direct Secure Plus parameter, ENCRYPT.DATA specified from the copy statement causes the copy step to fail with an error message CSPA080E. The algorithm name used in the COPY statement is not in the supported algorithm list for both nodes. Verify that the algorithm name in the copy statement is in the supported algorithm list for both nodes.
A Process including a COPY statement with a SECURE parameter was submitted and failed. The following CSPA011E error message is displayed:

Illegal attempt to override Connect:Direct Secure Plus parameters

There will not be any CSPA011E error message for Secure=(Encrytp.Data=Y|N) as it has been deprecated and ignored from the process. Take one of the following actions:
  • Remove the SECURE= parameter from the COPY statement and resubmit the Process.
  • Change the OVERRIDE setting in the remote node record in the parameter file and make sure all other necessary protocol settings are specified. Resubmit the Process including the SECURE= parameter.

See Override Settings in IBM Connect:Direct Processes.

An SSL or TLS session was attempted with a IBM Connect:Direct system that does not implement SSL or TLS. The trading partner does not have the protocol enabled. Request that the trading partner configure its node for the correct protocol or disable Connect:Direct Secure Plus for the node.
Either the CSPA203E error message or the CSPA204E message is displayed:

SSL or TLS send failure, rc=&RC, rsn=&RSN or

SSL or TLS receive failure, rc=&RC, rsn=&RSN.

The client cannot validate the server's certificate. Ensure that client authentication is turned on and certificate information is defined in the remote node record.
The following CSPA205E error message is displayed: SSL or TLS support requires the TCP/IP protocol. One of the trading partners is not using TCP/IP for communications. Determine which trading partner does not have TCP/IP enabled and change the configuration of that trading partner.
The following CSPA200E error message is displayed: Connect:Direct Secure Plus version mismatch. You are attempting to use the SSL or TLS protocol to securely communicate with a trading partner that does not have the protocol enabled. Change the configuration of the remote node record to enable the correct protocol.
The following CSPA206E error message is displayed: Remote certificate is invalid. The root certificate was not found. Check the parameter file configuration and ensure that the correct certificate is identified in the remote node record.
The following CSPA207E error message is displayed: Root certificate not found. The remote certificate could not be validated. Check the parameter file configuration and ensure the correct key database file is identified in the remote node record.
The following SITA1901 error message is displayed: Sec+ Init failed. Secure= No. Override=No. The local node record has all Connect:Direct Secure Plus protocols disabled and has override set to no. Either enable the appropriate protocol in the remote node record or enable override=yes in the local node record.
A Process was submitted and failed. The following CSPA078E error message is displayed: Invalid specification of SECURE= on PROCESS statement. SECURE= cannot be specified in a non-IBM Connect:Direct Secure Plus environment or when the Remote Node record in the Connect:Direct Secure Plus Parmfile does not specify OVERRIDE=Y. There will not be any CSPA011E error message for Secure=(Encrytp.Data=Y|N) as it has been deprecated and ignored from the process. Take one of the following actions:
  • Remove the SECURE= parameter from the PROCESS statement and resubmit the Process.
  • Change the OVERRIDE setting in the remote node record in the parameter file and make sure all other necessary protocol settings are specified. Resubmit the Process including the SECURE= parameter.

See Override Settings in IBM Connect:Direct Processes.

The submit within a Process failed with a reason code of 8. The following SCBI514E or SSUB267E error message is displayed: Equal sign required after SECURE keyword. The SECURE keyword in the PROCESS must be followed by an equal sign. You attempted to use the SECURE parameter in a PROCESS statement but did not include an equal sign after the SECURE keyword. Correct the PROCESS statement syntax by inserting an equal sign and resubmit the Process.
The submit within a Process failed with a reason code of 8. The following SCBI515E or SSUB268E error message is displayed: A parsing error occurred on the SECURE keyword when processing the SECURE keyword on the PROCESS statement. You attempted to use the SECURE parameter in a PROCESS statement but the syntax was faulty. Correct the PROCESS statement and resubmit the Process. For a complete description of the SECURE parameter and how to use it in the PROCESS statement, see the see the IBM Connect:Direct Process Language Reference Guide.
System initialization failed, and the following SITA196E error message is displayed: FIPS Mode Requested but SECURE.DSN parameter is not specified. You specified the FIPS initialization parameter as YES, but you did not specify the SECURE.DSN parameter to enable Connect:Direct Secure Plus. Update the initialization parameters and restart IBMConnect:Direct.
System initialization failed, and the following error message is displayed: Connect;Direct FIPS keyword requires z/OS release 1.11 or later. Your current, active z/OS release level does not support FIPS mode for System SSL. Either update the FIPS initialization parameter to NO or execute IBM Connect:Direct on the appropriate release level of z/OS.
IBM Connect:Direct was terminated, and the following error message is displayed: Secure+ Severe FIPS Mode Error, &var1. During operation of a TLS FIPS mode request, a severe error occurred causing IBM Connect:Direct to terminate with a U4079 abend due to one of the following:
  • KEY database (not FIPS-mode)
  • Random number generation failure
  • RSA or DSA keypair generation failure
  • gsk_perform_kat API failure
Contact IBM Support or correct the error and restart IBM Connect:Direct.