| EGSKSIGN (10001) |
gsk_status code generated during the failure.
Common codes are:
- [CMSERR_ALG_NOT_SUPPORTED]
- The signature algorithm is not supported.
- [CMSERR_BAD_DIGEST_SIZE ]
- The certificate private key is not long enough to be used with
the digest size required by the requested hash algorithm.
- [CMSERR_KEY_MISMATCH]
- The supplied key does not match the signature algorithm.
- [CMSERR_NO_MEMORY]
- Insufficient storage is available.
- [CMSERR_ICSF_NOT_AVAILABLE]
- ICSF is not available.
- [CMSERR_ICSF_SERVICE_FAILURE]
- An ICSF service failed.
|
A System SSL CMS error was encountered while
attempting to create a signature. The reason code will contain the
System SSL return code.
- System Action
- Request fails but connection remains open.
- Response
- Examine gsk_status code (returned as the reason code), which are
documented in z/OS Cryptographic Services System SSL Programming. Verify the failed message contained correct
data. If it did not then take action to correct the message content.
If it did then contact the NSSD administrator to determine what action
to take.
If the gsk_status_code is CMS_ERR_ICSF_NOT_AVAILABLE,
request that the NSSD administrator verify that ICSF is started.
If the gsk_status_code is CMS_ERR_ICSF_SERVICE_FAILURE, notify
the NSSD administrator. The NSSD administrator should determine whether
the SAF CSFSERV general resource class is defined and determine whether
the CSF1PKS profile is defined for that resource. If the CSF1PKS
profile is defined, verify that NSSD has read access to it. See the z/OS Cryptographic Services ICSF Administrator's Guide for more information about the CSFSERV general
resource and the CSF1PKS profile.
|
| EGSKVAL (10002) |
gsk_status code generated during the failure.
Common codes are:
- [CMSERR_BAD_HANDLE]
- The database handle is not valid.
- [CMSERR_BAD_ISSUER_NAME]
- The certificate issuer name is not valid.
- [CMSERR_BAD_SIGNATURE]
- The signature is not correct.
- [CMSERR_CERT_CHAIN_NOT_TRUST]
- The certification chain is not trusted.
- [CMSERR_CERTIFICATE_REVOKED]
- The certificate is revoked.
- [CMSERR_EXPIRED]
- The certificate is expired.
- [CMSERR_INCORRECT_DBTYPE]
- The database type does not support certificates.
- [CMSERR_INCORRECT_KEY_USAGE]
- The issuer certificate does not allow signing certificates
- [CMSERR_ISSUER_NOT_CA]
- The certificate issuer is not a certification authority.
- [CMSERR_ISSUER_NOT_FOUND]
- The issuer certificate is not found in one of the data sources.
- [CMSERR_NAME_CONSTRAINTS_VIOLATED]
- The certificate name is not consistent with the name constraints.
- [CMSERR_NAME_NOT_SUPPORTED]
- The AuthorityKeyIdentifier extension name is not a directory name.
- [CMSERR_NOT_YET_VALID]
- The certificate is not yet valid.
- [CMSERR_PATH_TOO_LONG]
- The certification chain exceeds the maximum allowed by the CA.
- [CMSERR_SELF_SIGNED_NOT_FOUND]
- A self-signed certificate is not found in a trusted data source
- [CMSERR_ICSF_NOT_AVAILABLE]
- ICSF is not available.
|
GSK validate certificate failure.
- System Action
- Request fails but connection remains open.
- Response
- Examine gsk_status code (returned as the reason code), which are
documented in z/OS Cryptographic Services System SSL Programming. Verify the failed message contained correct
data. If it did not, then take action to correct the message content.
If it did and the reason code is one of the following, contact the
certificate owner and inform them of the problem encountered with
the certificate:
CMSERR_BAD_ISSUER_NAME
CMSERR_BAD_SIGNATURE
CMSERR_CERTIFICATE_REVOKED
CMSERR_EXPIRED
CMSERR_INCORRECT_KEY_USAGE
CMSERR_ISSUER_NOT_CA
CMSERR_NAME_CONSTRAINTS
_VIOLATEDCMSERR_NAME_NOT_SUPPORTED
CMSERR_NOT_YET_VALID
CMSERR_PATH_TOO_LONG
If the reason code is anything other
than the codes above, contact the NSSD administrator to determine
what action to take. Other common reason codes include: CMSERR_BAD_HANDLE
CMSERR_CERT_CHAIN_NOT_TRUST
CMSERR_INCORRECT_DBTYPE
CMSERR_ISSUER_NOT_FOUND
CMSERR_SELF_SIGNED_NOT_FOUND
If the gsk_status_code is CMSERR_ICSF_NOT_AVAILABLE,
request that the NSSD administrator verify that ICSF is started.
|
| EGSKVER (10003) |
gsk_status code generated during the failure.
Common codes are:
- [CMSERR_ALG_NOT_SUPPORTED]
- The signature algorithm is not supported.
- [CMSERR_BAD_DIGEST_SIZE]
- The digest size is not correct.
- [CMSERR_BAD_SIGNATURE]
- The signature is not correct.
- [CMSERR_KEY_MISMATCH]
- The supplied key does not match the signature algorithm.
- [CMSERR_ICSF_NOT_AVAILABLE]
- ICSF is not available.
- [CMSERR_ICSF_SERVICE_FAILURE]
- An ICSF service failed.
|
A System SSL CMS error was encountered while
attempting to verify a signature. The reason code will contain the
System SSL return code.
- System Action
- Request fails but connection remains open.
- Response
- Examine gsk_status code (returned as the reason code), which are
documented in z/OS Cryptographic Services System SSL Programming. Verify the failed message contained correct
data. If it did not, then take action to correct the message content.
If it did, then treat the signature as an invalid signature.
If the gsk_status_code is CMS_ERR_ICSF_NOT_AVAILABLE,
request that the NSSD administrator verify that ICSF is started.
If the gsk_status_code is CMS_ERR_ICSF_SERVICE_FAILURE, notify
the NSSD administrator. The NSSD administrator should determine whether
the SAF CSFSERV general resource class is defined and determine whether
the CSF1PKV profile is defined for that resource. If the CSF1PKV profile
is defined, verify that NSSD has read access to it. See z/OS Cryptographic Services ICSF Administrator's Guide for more information about the CSFSERV general
resource and the CSF1PKV profile.
|
| EGSKCMS (10004) |
gsk_status code generated during the failure.
Common codes are:
- [CMSERR_ICSF_NOT_AVAILABLE]
- ICSF is not available.
|
A System SSL CMS error was encountered while
processing the request. The reason code will contain the System SSL
return code.
- System Action
- Request fails but connection remains open.
- Response
- Examine gsk_status code (returned as the reason code), which are
documented in z/OS Cryptographic Services System SSL Programming.
If the gsk_status_code is CMS_ERR_ICSF_NOT_AVAILABLE,
request that the NSSD administrator verify that ICSF is started.
|
| ECSFBEXT (10005) |
The high-order 16 bits of the reason code represent
the ICSF return code. The low-order 16 bits of the reason code represent
the ICFS reason code. |
An Integrated Cryptographic Service Facility
(ICSF) error was encountered. The reason code will contain the ICSF
return code (high-order 16 bits) and reason code (low-order 16 bits).
- System Action
- Request is failed but connection remains open.
- Response
- Review the ICSF return and reason codes from z/OS Cryptographic Services ICSF Application Programmer's Guide.
|
| EACCES (111) |
NMSRsnUserAuthentication (10001) |
User authentication failed
- System Action
- Request fails and the connection is closed.
- Response
- Verify the following: The user ID under which the NSS client connects
to the NSS server is correct The password used to authenticated that
user ID is valid, or the application key used to generate the passticket
is correct (this key is stored in the SAF-enabled security manager).
|
| EACCES (111) |
NMsRsnNoAuthForService (4) |
The NSS client does not have access to the requested
service through the governing SERVAUTH profile.
- System Action
- Request fails but connection remains open.
- Response
- If appropriate, define a SERVAUTH profile that will allow the
requested access.
|
| EACCES (111) |
NMsRsnNoAuthForClientname (3) |
The user ID in the connection request is not
authorized to act on behalf of the NSS clientName.
- System Action
- Request fails and the connection is closed.
- Response
- Ensure that all of the following are correct: The user ID (and
password, if necessary) as configured at the client. The client
name as configured at the client. Also ensure that the appropriate
SERVAUTH profiles are defined at the server system for the client.
|
| EACCES (111) |
NMsRsnDisconnectPending (1) |
A disconnect operation is pending.
- System Action
- Request fails but connection remains open for a very short time.
- Response
- The client must reconnect the server before any more NSS services
can be requested.
|
| ECCESS (111) |
NMsRsnUnsupportedDiscipline (10005) |
The discipline specified in the connection request
is currently disabled in the NSS server.
- System Action
- Connection is closed.
- Response
- Modify the NSS server configuration to enable the specified discipline.
|
| EINVAL (121) |
NMSRsnClientAlreadyConnected (10002) |
Client is already connected to this server.
- System Action
- Request fails and the connection is closed.
- Response
- If appropriate, disconnect the active client and reattempt the
connection request.
|
| EINVAL (121) |
NSSRsnRIDNotInCert (10003) |
The certificate used to sign does not contain
remote ID specified.
- System Action
- Request fails but connection remains open.
- Response
- None - this is an informational code only.
|
| EINVAL (121) |
NSSRsnBadCert (10005) |
Certificate not valid.
- System Action
- Request fails but connection remains open.
- Response
- If the failing certificate is one that is stored on the local
system, it should be refreshed or replaced. If that certificate comes
from a remote system, then this is an informational code only.
|
| EINVAL (121) |
NSSRsnUnsupportedCert (10006) |
Unsupported certificate encoding.
- System Action
- Request fails but connection remains open.
- Response
- Contact IBM® service.
|
| EINVAL (121) |
NSSRsnBadLIDType (10007) |
Unrecognized LID type.
- System Action
- Request fails but connection remains open.
- Response
- Contact IBM service.
|
| EINVAL (121) |
NSSRsnBadLIDValue (10008) |
LID value not valid.
- System Action
- Request fails but connection remains open.
- Response
- Contact IBM service.
|
| EINVAL (121) |
NSSRsnBadRIDType (10009) |
Unrecognized LID type.
- System Action
- Request fails but connection remains open.
- Response
- Contact IBM service.
|
| EINVAL (121) |
NSSRsnBadRIDValue (10010) |
LID value not valid.
- System Action
- Request fails but connection remains open.
- Response
- Contact IBM service.
|
| EINVAL (121) |
NSSRsnBadLocalIPaddr (10011) |
Local IPaddr not valid.
- System Action
- Request fails but connection remains open.
- Response
- Contact IBM service.
|
| EINVAL (121) |
NSSRsnBadRemoteIPaddr (10012) |
Remote IPaddr not valid.
- System Action
- Request fails but connection remains open.
- Response
- Contact IBM service.
|
| EINVAL (121) |
NSSRsnAddrVersionMismatch (10013) |
Local and remote IP address versions don't match.
- System Action
- Request fails but connection remains open.
- Response
- Contact IBM service.
|
| EINVAL (121) |
NSSRsnNoCertRep (10014) |
Certificate repository not available.
- System Action
- Request fails but connection remains open.
- Response
- Create or restore the certificate repository and then try the
request again.
|
| EINVAL (121) |
NSSRsnBadHashSize (10016) |
Hash size not valid for specified hash algorithm.
- System Action
- Request fails but connection remains open.
- Response
- Contact IBM service.
|
| EINVAL (121) |
NSSRsnBadHashAlg (10017) |
Hash algorithm not supported or an NSSD server
is at a lower version than the IKED client. Before calling IBM service, check for msg EZD1904E
in your IKED log. If it is a version mismatch, either change your
IpSec policy to specify only algorithms that this version of NSSD
supports or upgrade the NSSD server to the same version as IKED.
- System Action
- Request fails but connection remains open.
- Response
- Contact IBM service.
|
| EINVAL (121) |
NSSRsnSaNotInCertLife (10018) |
SA lifetime not in certificate lifetime.
- System Action
- Request fails but connection remains open.
- Response
- None - this is an informational code only.
|
| EINVAL (121) |
NSSRsnBadCa (10019) |
The DER encoding type specified for the Certificate
Authority name is unrecognized.
- System Action
- Request fails but connection remains open.
- Response
- Contact IBM service.
|
| EINVAL (121) |
NSSRsnUnsupportedCaType (10020) |
Unsupported CA encoding.
- System Action
- Request fails but connection remains open.
- Response
- Contact IBM service.
|
| EINVAL (121) |
NMsRsnInvalidService (10021) |
A service has been requested that is not affiliated
with the requested discipline.
- System Action
- Connection is closed.
- Response
- Re-attempt the connection and request only the services affiliated
with the requested discipline.
|
| EINVAL (121) |
NMsRsnInvalidDiscipline (10025) |
The discipline specified in the connection request
contains an invalid value.
- System Action
- Connection is closed.
- Response
- Re-attempt the connection and pass in a valid discipline.
|
| EINVAL (121) |
NMsRsnBadUpdate (10026) |
The client has attempted to update its client
information using values that cannot be changed after the initial
connection has succeeded.
- System Action
- Request is failed but connection remains open.
- Response
- Re-attempt the update by changing only those fields which are
acceptable under an update.
|
| EINVAL (121) |
NMsRsnInvalidAPIVersion (10027) |
An NSS client has attempted to connect to the
NSS server and has specified adherence to an API version that is insufficient
for the requested discipline.
- System Action
- Connection is closed.
- Response
- Re-attempt the connection using an accepted API version. NSS IPSec
clients must adhere to NMsec_NSS_API_VERSION1 (1) or higher. NSS XMLAppliance
clients must adhere to NMsec_NSS_API_VERSION2 (2) or higher.
|
| EINVAL (121) |
NMsRsnInvalidClientName (10029) |
NSS_ConnectClientReqToSrv or NSS_UpdateClientInfoReqToSrv
request is invalid.
- System Action
- If the client name is invalid on the connect, the request is failed
and the connection is closed. If the client name is invalid on the
update, the request is failed, the connection remains open, but the
client remains in the update pending state until a valid update is
provided.
- Response
- Re-attempt the connect or update by providing a valid NSS client
name. Valid characters are [a-zA-Z0-9_-]. The client name must be
left-justified and blank-padded. Embedded spaces are invalid.
|
| EINVAL (121) |
NSSRsnBadAuthMethod (10032) |
Authentication method not supported.
- System Action
- Request fails but connection remains open.
- Response
- Contact IBM service.
|
| EINVAL (121) |
NSSRsnBadPRFAlg (10033) |
PRF algorithm not supported.
- System Action
- Request fails but connection remains open.
- Response
- Contact IBM service.
|
| EINVAL (121) |
NSSRsnMissingCRLs (10034) |
The NSS client requested strict revocation checking
but certificate revocation lists (CRLs) are missing from the request.
- System Action
- Request fails but connection remains open.
- Response
- Re-attempt the request providing the missing CRLs.
|
| EINVAL (121) |
NSSRsnPRFAlgNotFIPS (10035) |
The NSS server is configured for FIPS mode but
the NSS client requested a PRF algorithm that is not valid for FIPS
mode (e.g. HMAC-MD5).
- System Action
- Request fails but connection remains open.
- Response
- Re-attempt the request with a PRF algorithm that is valid for
FIPS mode.
|
| EINVAL (121) |
NSSRsnHashAlgNotFIPS (10036) |
The NSS server is configured for FIPS mode but
the NSS client requested a hash algorithm that is not valid for FIPS
mode (e.g. MD5).
- System Action
- Request fails but connection remains open.
- Response
- Re-attempt the request with a hash algorithm that is valid for
FIPS mode.
|
| ENOLCK (131) |
0 |
Failed to obtain an internal lock.
- System Action
- Request fails but connection remains open. A message will appear
in the MVS™ system log with additional
diagnostic information.
- Response
- Contact IBM service.
|
| ENOMEM (132) |
NMsRsnTooManyConns (1) |
The NSS server is already using its maximum
number of 500 connections and cannot accept any more.
- System Action
- Connection is not opened and the request is failed.
- Response
- Try the request again later.
|
| ENXIO (138) |
NSSRsnUnknownClientName (10001) |
The specified client name not recognized.
- System Action
- Request fails and the connection is closed.
- Response
- Verify that the client name was specified correctly and that the
NSS client is connected to the NSS server. Note, however, that this
error code often occurs when directing a request to an NSS client
that is not currently connected to the NSS server.
|