SPE Problem Troubleshooting

When SPE is implemented, each time the IBM® Connect:Direct® server is started, a new encryption key is generated, the passwords decrypted with the old key, passwords encrypted with the new key then both keys saved. If the Strong Password Encryption key stored in the .PASSWORD record is out of sync with the SPE key used to encrypt the passwords, errors can occur and you must reset all SPE passwords and reimplement the SPE feature.

The .PASSWORD record can get out of sync if one of the following occurs:

  • You restore the .PASSWORD record from a backup of the IBM Connect:Direct Secure Plus parameter file—The .PASSWORD record is updated and a new encryption key generated each time the IBM Connect:Direct Secure Plus for z/OS® server is restarted, so the backup will probably not contain the current parameters.
  • The .PASSWORD record is deleted outside of IBM Connect:Direct and IBM Connect:Direct Secure Plus—The .PASSWORD record is recreated as needed, so the SPE key used to encrypt the passwords no longer exists.
  • The .PASSWORD record is corrupt—The SPE encryption key used to encrypt the passwords is not accessible.
  • After implementing SPE, IBM Connect:Direct server is restarted with Secure Plus disabled.

The following tables identify errors you may experience when using the SPE feature, along with solutions to fix each issue.

Condition: Because of SPE errors, IBM Connect:Direct Secure Plus for z/OS either initializes with a SITA461I message or does not initialize at all with a SITA463E message.

Error Cause Action
SITA461I

SITA463E

SPE-formatted passwords exist In the TCQ and/or AUTH files, but IBM Connect:Direct Secure Plus has not been enabled. IBM Connect:Direct for z/OS has not been set up to run with IBM Connect:Direct Secure Plus for z/OS. Add the SECURE.DSN=filename parameter to the initialization parameters, where filename is the name of the IBM Connect:Direct Secure Plus parameter file. Restart IBM Connect:Direct Secure Plus for z/OS. To see more detailed information about individual errors related to the general failure, see the ESTAE trace output.
 
  • SPE-formatted passwords exist In the TCQ and/or AUTH files, but there is no .PASSWORD record in the IBM Connect:Direct Secure Plus parameter file.
  • SPE-formatted passwords exist in the TCQ and/or AUTH files, but the .PASSWORD record in the IBM Connect:Direct Secure Plus parameter file has OLD encryption keys. This can only occur if an old IBM Connect:Direct Secure Plus parmfile is restored with a backup that contains old keys.
Reset all passwords in the TCQ and AUTH files by performing these actions:
  • Select the AUTH file record in the AUTH file. Provide a new password and blank out all unusable data.
  • In the TCQ file, delete all Processes and resubmit.

To see more detailed information about individual errors related to the general failure, see the ESTAE trace output.

Condition: You encounter errors while trying to maintain the AUTH file.

Error Cause Action
SAFB023W

SAFF016W

SAFC016W

SAFE016W

While inserting and updating users through the IUI (INSERT/UPDATE/SELECT/ DELETE USER RECORD screen), IBM Connect:Direct Secure Plus for z/OS could not read or record passwords.The .PASSWORD record does not contain the correct encryption key pair. The IBM Connect:Direct Secure Plus parameter file may have been restored with an old copy of the .PASSWORD record.
  1. Disable the SPE feature.
  2. Restart IBM Connect:Direct Secure Plus for z/OS.
  3. Enable the SPE feature again.
  4. Restart IBM Connect:Direct Secure Plus for z/OS.

To see more detailed information about individual errors related to the general failure, see the ESTAE trace output.