SPE Problem Troubleshooting
When SPE is implemented, each time the IBM® Connect:Direct® server is started, a new encryption key is generated, the passwords decrypted with the old key, passwords encrypted with the new key then both keys saved. If the Strong Password Encryption key stored in the .PASSWORD record is out of sync with the SPE key used to encrypt the passwords, errors can occur and you must reset all SPE passwords and reimplement the SPE feature.
The .PASSWORD record can get out of sync if one of the following occurs:
- You restore the .PASSWORD record from a backup of the IBM Connect:Direct Secure Plus parameter file—The .PASSWORD record is updated and a new encryption key generated each time the IBM Connect:Direct Secure Plus for z/OS® server is restarted, so the backup will probably not contain the current parameters.
- The .PASSWORD record is deleted outside of IBM Connect:Direct and IBM Connect:Direct Secure Plus—The .PASSWORD record is recreated as needed, so the SPE key used to encrypt the passwords no longer exists.
- The .PASSWORD record is corrupt—The SPE encryption key used to encrypt the passwords is not accessible.
- After implementing SPE, IBM Connect:Direct server is restarted with Secure Plus disabled.
The following tables identify errors you may experience when using the SPE feature, along with solutions to fix each issue.
Condition: Because of SPE errors, IBM Connect:Direct Secure Plus for z/OS either initializes with a SITA461I message or does not initialize at all with a SITA463E message.
Error | Cause | Action |
---|---|---|
SITA461I SITA463E |
SPE-formatted passwords exist In the TCQ and/or AUTH files, but IBM Connect:Direct Secure Plus has not been enabled. | IBM Connect:Direct for z/OS has not been set up to run with IBM Connect:Direct Secure Plus for z/OS. Add the SECURE.DSN=filename parameter to the initialization parameters, where filename is the name of the IBM Connect:Direct Secure Plus parameter file. Restart IBM Connect:Direct Secure Plus for z/OS. To see more detailed information about individual errors related to the general failure, see the ESTAE trace output. |
|
Reset all passwords in the TCQ and AUTH files
by performing these actions:
To see more detailed information about individual errors related to the general failure, see the ESTAE trace output. |
Condition: You encounter errors while trying to maintain the AUTH file.
Error | Cause | Action |
---|---|---|
SAFB023W SAFF016W SAFC016W SAFE016W |
While inserting and updating users through the IUI (INSERT/UPDATE/SELECT/ DELETE USER RECORD screen), IBM Connect:Direct Secure Plus for z/OS could not read or record passwords.The .PASSWORD record does not contain the correct encryption key pair. The IBM Connect:Direct Secure Plus parameter file may have been restored with an old copy of the .PASSWORD record. |
To see more detailed information about individual errors related to the general failure, see the ESTAE trace output. |