There is not enough memory available to allocate a required control block or data element.
Increase the memory available to the application and then retry the request. Contact your service representative if the error persists.
An X.509 certificate extension is either not supported by the current level of the System SSL run time or is not supported by the certificate version. The certificate extension is not processed. If the extension is marked as a critical extension, the X.509 certificate cannot be processed.
Upgrade the System SSL run time if a later software level supports the certificate extension.
An X.509 cryptographic algorithm is not supported by the current level of the System SSL run time. This error can also occur if the current operation does not support the specified cryptographic algorithm. When running in FIPS mode, this error may occur if an attempt is made to use an algorithm that is not supported in FIPS mode.
Ensure that the cryptographic algorithm is supported for the requested operation or that it is supported if executing in FIPS mode. Upgrade the System SSL run time if a later software level supports the cryptographic algorithm.
The signature is incorrect for an X.509 certificate or certificate revocation list. This usually means that the certificate has been modified since it was signed by the issuing Certificate Authority.
Verify that the certificate has not been modified. Collect a System SSL trace containing the error and then contact your service representative if the error persists.
A cryptographic request failed with an unexpected error.
Collect a System SSL trace containing the error and then contact your service representative if the error persists.
An input/output operation is canceled by the user. This can occur if the user cancels a terminal read request by pressing an attention key or by pressing the enter key without entering any data.
None
An input/output operation fails.
Verify that the file or key ring can be accessed and is not damaged. If creating or updating a file, verify that the file system containing the file is not full. Collect a System SSL trace containing the error and then contact your service representative if the error persists.
The user is prompted to verify the password by entering it a second time. The user did not enter the same password both times.
Enter the same password when prompted.
A file or key ring cannot be opened because it is not found.
Verify that the correct name is specified. This value is case-sensitive. Ensure that the case is preserved with your request. Contact your service representative if the error persists.
The key database or the request database is not valid. This error can occur if the wrong database password is used when opening the database or if the database format is not supported by the current level of the System SSL run time.
Verify that the database has not been modified or truncated. Collect a System SSL trace containing the error and then contact your service representative if the error persists.
The System SSL run time is unable to locate a message in the message catalog.
Verify that the message catalog can be accessed by the application and can be located using the NLSPATH environment variable. Contact your service representative if the error persists.
The handle that is passed to the System SSL run time is not valid. This error can occur if the handle is closed or is not the proper type for the requested function.
Pass a valid handle to the System SSL routine.
The requested record is deleted.
None
The requested record is not found.
If using RACF key rings, certificates that are marked as not trusted in the RACF
database are not retrieved from the key ring. Ensure that the certificates needed to build the
certificate’s trust chain are available.
If using RACF key rings and the DIGTCERT and DIGTRING classes are RACLIST'ed, issue
the SETROPTS RACLIST (DIGTCERT, DIGTRING) REFRESH command to refresh the profiles to ensure that the
latest changes are available.
If generic profiling checking was enabled for the DIGTCERT class when the
certificate was created or added and its issuer's distinguished name contains any generic characters
(*, & and %), a generic certificate profile was created. This generic profile processing may
cause the certificate not to be read from the key ring. This certificate will need to be removed and
added back after turning off generic profile checking for DIGTCERT class. The SEARCH CLASS(DIGTCERT)
command can be used to determine if the certificate’s profile is generic. A (G) indicates
generic.
The database does not support the requested operation. This error can occur if the database type is not valid. It can also occur if an attempt is made to add a request record to a key database or a key record to a request database.
Specify an operation supported by the database.
A request to modify the key or request database cannot be completed because update mode was not requested when the database was opened or an update was requested on a FIPS mode database while in non-FIPS mode.
Request update mode when opening a database for modification.
A mutex operation failed.
Contact your service representative.
Before updating a database file, the System SSL run time creates a backup file with the same name with ".new" appended to the name. This file is then deleted after the database file has been rewritten. The file is not deleted if an error occurs while rewriting the database file.
Correct the problem that caused the database update to fail. Then copy the backup file to the database file and delete the backup file.
A request to create a new database cannot be completed because the database file already exists.
Choose a different name for the new database or delete the existing database.
A new record cannot be added to the database because it is larger than the database record length.
If using the gskkyman utility, use option 4 from the Database Menu to enlarge the database record length. Applications using the System SSL APIs can use the gsk_change_database_record_length API to enlarge the database record length.
The database password is expired.
Change the database password.
The wrong password is specified for a key database, an encrypted private key, or an import file. This error can also occur if the file has been modified. Also, this error can occur if the key that is being exported is a secure private key in the TKDS and the specified password length is greater than 63 bytes.
Specify the correct password.
The database or key ring cannot be opened because the permissions do not allow access by the current user.
Ensure that the user has read/write access to the database if opening the database for update mode; otherwise ensure that the user has read access to the database or key ring.
Another process has opened the database in update mode. Only one process may have the database open for update at a time.
Wait until the database has been closed by the other process and then retry the request.
The database record length is less than the minimum value of 2500.
Specify a record length of 2500 or greater.
Verify that the ICSF started task is running if the private key is stored in ICSF. Otherwise, repeat the failing request by using a database entry containing a private key. If using z/OS PKCS #11 tokens, ensure that the user ID has appropriate access to the CRYPTOZ class.
If executing in FIPS mode, ensure that the certificate that is being used does not have its private key stored in ICSF.
The record label is not valid. A label may contain letters, numbers, and punctuation. A record label may not be an empty string.
Provide a valid record label.
A record label must be unique within a key database file and its associated request database.
Verify the labels already in use by a key database file and its associated request database and provide a unique record label.
The database record type is not valid.
Provide a valid database record type.
An attempt is made to add a certificate to a key database but the database already contains the certificate. A certificate is a duplicate if the issuer name and certificate serial number are the same.
Delete the existing certificate before adding the new certificate.
An encoded stream cannot be decoded because it contains an incorrect Base64 encoding. A Base64 encoding consists of a header line (for example, -----BEGIN CERTIFICATE-----), encoded text, and a footer line (for example, -----END CERTIFICATE-----). The encoded text is encoded using a 64-character subset in groups of 4 characters.
Ensure that the encoded stream has not been truncated or modified. Base64 encoding uses text data and must be in the local code page. Contact your service representative if the error persists.
A file or message cannot be imported because the format is not recognized.
System SSL supports X.509 DER-encoded certificates, PKCS #7 signed data messages, and PKCS #12 personal information exchange messages for certificate import files. The import file data may be the binary data or the Base64-encoding of the binary data.
System SSL supports PKCS #7 data, encrypted data, signed data, and enveloped data for messages. This error can also occur if the message is not constructed properly.
Ensure that the import file or message has not been modified. A Base64-encoded import file must be converted to the local code page when it is moved to another system while a binary import file must not be modified when it is moved to another system.
If importing a certificate from a Base64 file, the first and last lines contain readable data. The first line in the file contains '-----BEGIN CERTIFICATE-----' and the last line in the file contains '----END CERTIFICATE-----'. If data is not correct, ensure that the file was transferred successfully.
The current time is earlier than the beginning of the certificate validity.
Either wait until the certificate is valid or request a new certificate with an earlier starting date from the certification authority.
The current time is after the end of the certificate validity.
Request a new certificate from the certification authority.
An unsupported name format is encountered while validating a certificate.
Contact your service representative.
An issuer certificate is not found while validating a certificate. This error can occur if the issuer certificate required for a new certificate is not in the key database or if the required issuer certificate is not trusted or has expired.
Ensure that the key database contains the required issuer certificate and that the certificate is marked as trusted. See Database menu for information about displaying the contents of an external certificate file to verify which issuer certificate is required. Contact your service representative if the error persists.
If using RACF key rings, certificates that are marked as not trusted in the RACF
database are not retrieved from the key ring. Ensure that the certificates needed to build the
certificate’s trust chain are available.
If using RACF key rings and the DIGTCERT and DIGTRING classes are RACLIST'ed, issue
the SETROPTS RACLIST (DIGTCERT, DIGTRING) REFRESH command to refresh the profiles to ensure that the
latest changes are available.
If generic profiling checking was enabled for the DIGTCERT class when the
certificate was created or added and its issuer's distinguished name contains any generic characters
(*, & and %), a generic certificate profile was created. This generic profile processing may
cause the certificate not to be read from the key ring. This certificate will need to be removed and
added back after turning off generic profile checking for DIGTCERT class. The SEARCH CLASS(DIGTCERT)
command can be used to determine if the certificate’s profile is generic. A (G) indicates
generic.
The certification path length exceeds the maximum that is specified in the certification authority certificate.
Report the problem to the certification authority.
The key usage certificate extension does not permit the requested key operation.
Obtain a certificate, which allows the requested key operation.
The issuer of an X.509 certificate or the certificate used to sign a certificate revocation list is not a certification authority. This indicates that the basic constraints certificate extension in the issuer certificate or the certificate used to sign a certificate revocation list does not contain the certification authority indicator.
Report the problem to the issuer of the certificate. If creating a signed certificate revocation list, ensure that a valid certificate authority is specified in the gsk_construct_signed_crl(), gsk_create_signed_crl(), or gsk_create_signed_crl_record() routines.
The requested export file format is not supported for the specified database record. Certificates can be exported using the DER and PKCS #7 formats. Certificates and keys can be exported using the PKCS #12 formats.
Select an appropriate export file format.
An X.509 cryptographic algorithm is not available. Because of government export regulations, strong encryption is not available on the local system.
Select an algorithm that is available.
The record type cannot be changed when replacing a database record.
Create a new database entry for the record.
The subject name cannot be changed when replacing a database record where the database record has no private key or is used as a signing certificate for other user or server certificates.
Create a new database entry for the record.
The subject public key cannot be changed when replacing a database record.
Create a new database entry for the record.
The default key for the database cannot be changed using the gsk_replace_record()routine.
Use the gsk_set_default_key() routine to change the default key for the database.
A CA certificate cannot be deleted because the database still contains certificates that were signed using that certificate. A certificate renewal for a signing certificate fails with this error code if the certificates subject name has changed.
A certification authority (CA) certificate in the certification chain is not trusted.
Set the trust status for the CA certificate if the certificate can be used for authentication purposes.
If using RACF key rings, certificates that are marked as not trusted in the RACF
database are not retrieved from the key ring. Ensure that the certificates needed to build the
certificate's trust chain are available and have not expired.
If using RACF key rings and the DIGTCERT and DIGTRING classes are RACLIST'ed, issue
the SETROPTS RACLIST (DIGTCERT, DIGTRING) REFRESH command to refresh the profiles to ensure that the
latest changes are available.
If generic profiling checking was enabled for the DIGTCERT class when the
certificate was created or added and its issuer's distinguished name contains any generic characters
(*, & and %), a generic certificate profile was created. This generic profile processing may
cause the certificate not to be read from the key ring. This certificate will need to be removed and
added back after turning off generic profile checking for DIGTCERT class. The SEARCH CLASS(DIGTCERT)
command can be used to determine if the certificate’s profile is generic. A (G) indicates
generic.
The supplied key is not supported by the requested encryption or signature algorithm.
Provide the appropriate key for the encryption or signature algorithm. For example, an RSA key cannot be used to verify that a DSA signature and a DSA key cannot be used to encrypt data. RSASSA-PSS signatures require an RSA key to perform the operation successfully.
A signer certificate is not found while creating or processing a signed message,
Provide a certificate for each signer, including signers of authenticated attributes.
An unsupported PKCS #7 content type is encountered.
See the Programming Reference for the failing routine to determine the supported content types.
A recipient certificate is not found while creating or processing an enveloped message.
Provide at least one recipient certificate.
The encryption key size is not supported by the System SSL run time.
See the System SSL information to determine which key sizes are supported. In general, when executing in non-FIPS mode, 40-bit keys and 128-bit keys are supported for RC2 and RC4, 56-bit keys are supported for DES, 168-bit keys are supported for Triple DES, and 128-bit keys and 256-bit keys are supported for AES. RSA keys must be between 512 and 4096 bits, DSS keys must be between 512 and 2048 bits, and Diffie-Hellman keys must be between 512 and 2048 bits.
When executing in FIPS mode with GSK_FIPS_STATE_ON or GSK_FIPS_STATE_LEVEL1 set, 168-bit keys are supported for Triple DES, and 128-bit keys and 256-bit keys are supported for AES. RSA keys must be between 1024 and 4096 bits, DSS keys must be between 1024 and 2048 bits, and Diffie-Hellman keys must be 2048 bits.
When executing in FIPS mode with GSK_FIPS_STATE_LEVEL2 set, 112-bit security is enforced when creating new keys or performing digital signature generation and encryption type operations. Digital signature verification, decryption using Triple DES and RSA decryption with 80-bit key lengths is allowed when processing already protected information. For key generation, DSS keys must be between 1024 and 2048 bits, Diffie-Hellman keys must be 2048 bits, ECC keys must 192 or greater, and RSA keys must be between 2048 and 4096 bits. For verification, DSS keys must be 1024 or 2048 bits, ECC keys must 192 or greater, and RSA keys must be between 1024 and 4096 bits.
When executing in FIPS mode with GSK_FIPS_STATE_LEVEL3 set, 112 bit or higher security strength is enforced as defined in NIST SP800-131Ar1. For key generation, DSS keys must be 2048 bits, Diffie-Hellman keys must be 2048 bits, ECC keys must 224 or greater, and RSA keys must be between 2048 and 4096 bits. For verification, DSS keys must be 2048 bits, ECC keys must 224 or greater, and RSA keys must be between 2048 and 4096 bits.
When using RSASSA-PSS signature algorithm to perform sign or verify operations, only RSA key sizes 2048 through 4096 inclusive are supported.
This error can also occur if the requested key size is not compatible with the supplied key generation parameters. See the System SSL information to determine which key sizes are supported. See System SSL and FIPS 140-2 for information about operating in FIPS mode.
DES and Triple DES encryption keys must have odd parity for each key byte.
Verify that the key is generated correctly. Contact your service representative if the error persists.
A small subset of the possible DES and Triple DES encryption keys are weak and can be broken more easily than the rest of the keys. For this reason, the weak keys should be avoided when generating a DES or Triple DES key. The error can also occur while running in FIPS mode with a user supplied Triple DES session key when the key does not contain three unique key parts.
A user supplied Triple DES key was found to be weak or a Triple DES key was specified that did not have three unique key parts. Ensure the key being used is valid and retry the operation. If the problem persists, collect a System SSL trace containing the error and then contact your service representative.
The initial vector that is used by the encryption routine is not the correct length.
Contact your service representative.
The length of the encryption data is not correct. For symmetric key algorithms using cipher block chaining, the encryption data must be a multiple of the cipher block size. For asymmetric key algorithms, the encryption data must be the same length as the cipher key modulus.
Verify that the encryption data has not been truncated. Contact your service representative if the error persists.
The encryption block format is not correct following decryption. This error can occur if the wrong key is used to decrypt the block.
Verify that the correct key is being used to decrypt the data. Contact your service representative if the error persists.
The cryptographic support is unable to find an inverse for a number.
Contact your support representative.
An error is detected while setting up the LDAP environment or retrieving an LDAP directory entry.
Ensure that the LDAP server is running and that there are no network errors. Collect a System SSL trace containing the error and then contact your service representative if the error persists.
The System SSL run time is unable to access the LDAP server.
Ensure that the LDAP server is running and that there are no network problems. Collect a System SSL trace and then contact your service representative if the error persists.
Verify that the data has not been truncated. Contact your service representative if the error persists.
The database file name or SAF key ring name is not valid. The length of the fully-qualified database file name must be between 1 and 251 while the length of the SAF key ring must be between 1 and 237.
Provide a valid database name.
The System SSL run time is unable to open the database file, SAF key ring or z/OS PKCS #11 token.
Verify that the database file, SAF key ring, or z/OS PKCS #11 token exists and is accessible by the application. Collect a System SSL trace and then contact your service representative if the error persists.
A self-signed certificate cannot be validated because it is not in the key database, SAF key ring or z/OS PKCS #11 token.
Add the self-signed certificate to the key database, SAF key ring or z/OS PKCS #11 token.
This code may also occur if the intermediate certificate on the key ring was not marked Trusted.
If using RACF key rings, certificates that are marked as not trusted in the RACF
database are not retrieved from the key ring. Ensure that the certificates needed to build the
certificate’s trust chain are available.
If using RACF key rings and the DIGTCERT and DIGTRING classes are RACLIST'ed, issue the SETROPTS RACLIST (DIGTCERT, DIGTRING) REFRESH command to refresh the profiles to ensure that the latest changes are available.
If generic profiling checking was enabled for the DIGTCERT class when the
certificate was created or added and its issuer's distinguished name contains any generic characters
(*, & and %), a generic certificate profile was created. This generic profile processing may
cause the certificate not to be read from the key ring. This certificate will need to be removed and
added back after turning off generic profile checking for DIGTCERT class. The SEARCH CLASS(DIGTCERT)
command can be used to determine if the certificate’s profile is generic. A (G) indicates
generic.
A certificate is revoked and cannot be used.
Obtain a new certificate from the certification authority.
The certificate issuer name must be a non-empty X.509 distinguished name.
Obtain a new certificate with a valid issuer name.
The certificate subject name must be either a non-empty distinguished name or an empty distinguished name with a SubjectAltName certificate extension.
Obtain a new certificate with a valid subject name.
The certificate name is not allowed by the certification path name constraints.
Report the problem to the certification authority.
The PKCS #7 content information does not contain any content data.
Change the application to provide content data for the content information.
An unsupported version is encountered.
See the Programming Reference for the failing routine to determine the supported versions.
A request to create a new certificate cannot be processed because the requested subject name is the same as the subject name of the signing certificate.
Choose a different subject name for the new certificate.
The Diffie-Hellman group parameters are not valid. The subprime Q must be greater than 1 and less than the prime P. The base G must be greater than 1 and less than the prime P. See RFC 2631 for more information about how the Diffie-Hellman parameters are generated.
Verify that the correct parameters are supplied when calling the failing routine. Contact the certification authority if the Diffie-Hellman group parameters are obtained from an X.509 certificate. Otherwise, collect a System SSL trace and then contact your service representative.
The Diffie-Hellman values are not valid. The private value X must be greater than 1 and less than the prime P. The public value Y must be greater than 1 and less than the prime P. In addition, the result of raising the public value Y to the power of the subprime Q modulo the prime P must be equal to 1. See RFC 2631 for more information about how the Diffie-Hellman values are generated.
Contact the certification authority if the Diffie-Hellman values are obtained from an X.509 certificate. Otherwise, collect a System SSL trace and then contact your service representative.
The Digital Signature Standard parameters are not valid. The subprime Q must be greater than 1 and less than the prime P. The base G must be greater than 1 and less than the prime P. See FIPS 186-2: Digital Signature Standard (DSS) for more information about how the parameters are generated.
Verify that the correct parameters are supplied when calling the failing routine. Contact the certification authority if the DSS parameters are obtained from an X.509 certificate. Otherwise, collect a System SSL trace and then contact your service representative.
A server certificate does not contain the current host name as either the common name (CN) element of the subject name or as a DNS entry for the subject alternate name.
Obtain a new certificate containing the host name you want.
The import file does not contain an X.509 certificate.
Specify a valid certificate import file.
The set of authenticated attributes that are supplied within the attributes_signers parameter must NOT include the content-type authenticated attribute as this is automatically provided by gsk_make_signed_data_content_extended() and gsk_make_signed_data_msg_extended().
Do not include content-type or message-digest in the set of authenticated attributes that are supplied to gsk_make_signed_data_content_extended() or gsk_make_signed_data_msg_extended().
The set of authenticated attributes that are supplied from the attributes_signers parameter must NOT include the message-digest authenticated attribute as this is automatically provided by gsk_make_signed_data_content_extended() and gsk_make_signed_data_msg_extended().
Do not include content-type or message-digest in the set of authenticated attributes that are supplied to gsk_make_signed_data_content_extended() or gsk_make_signed_data_msg_extended().
The attribute identifier is not valid.
Specify a valid attribute identifier.
The enumeration value is not valid.
Specify a valid enumeration value.
A signing CA certificate was not supplied on the call.
Supply a CA certificate on the function call.
The specified validation option is not valid.
Specify a valid validation option.
A certificate request structure was not supplied on the call.
Supply a certificate request structure on the function call.
A pkcs_public_key_info structure was not supplied on the call.
Supply a pkcs_public_key_info structure on the function call.
The number of modulus bits was not supplied on the call.
Supply the number of modulus bits on the function call.
A gsk_buffer structure containing the exponent was not supplied on the call.
Supply a gsk_buffer structure containing the exponent on the function call.
A pkcs_private_key_info structure was not supplied on the call.
Supply a pkcs_private_key_info on the function call.
A gsk_buffer structure containing the modulus for the RSA key was either not supplied on the call or not supplied in the gsk_private_key or gsk_public_key structure.
Ensure that a gsk_buffer structure containing the modulus for the RSA key is supplied on the function call, or is defined in the gsk_private_key or gsk_public_key structure.
A gsk_buffer structure containing the public exponent for the RSA key was not supplied on the call or not supplied in the gsk_private_key or gsk_public_key structure.
Ensure that a gsk_buffer structure containing the public exponent for the RSA key is supplied on the function call, or is defined in the gsk_private_key or gsk_public_key structure.
A gsk_buffer structure containing the private exponent for the RSA key was not supplied on the call, or not supplied in the gsk_private_key structure.
Ensure that a gsk_buffer structure containing the private exponent for the RSA key is supplied on the function call, or is defined in the gsk_private_key structure.
A gsk_buffer structure containing the first prime for the RSA key was not supplied on the call, or not supplied in the gsk_private_key structure.
Ensure that a gsk_buffer structure containing the first prime exponent for the RSA key is supplied on the function call, or is defined in the gsk_private_key structure.
A gsk_buffer structure containing the second prime for the RSA key was not supplied on the call, or not supplied in the gsk_private_key structure.
Ensure that a gsk_buffer structure containing the second prime for the RSA key is supplied on the function call, or is defined in the gsk_private_key structure.
A gsk_buffer structure containing the first prime exponent for the RSA key was not supplied on the call, or not supplied in the gsk_private_key structure.
Ensure that a gsk_buffer structure containing the prime exponent for the RSA key is supplied on the function call, or is defined in the gsk_private_key structure.
A gsk_buffer structure containing the second prime exponent for the RSA key was not supplied on the call, or not supplied in the gsk_private_key structure.
Ensure that a gsk_buffer structure containing the second prime exponent for the RSA key is supplied on the function call, or is defined in the gsk_private_key structure.
A gsk_buffer structure containing the CRT coefficient for the RSA key was not supplied on the call, or not supplied in the gsk_private_key structure.
Ensure that a gsk_buffer structure containing the CRT coefficient for the RSA key is supplied on the function call, or is defined in the gsk_private_key structure.
The required certificate revocation list (CRL) cannot be found in the specified LDAP server when the gsk_crl_security_level is set to HIGH or the CRL cannot be found in the HTTP server indicated in the CRL distribution points extension and the gskcms_revocation_security_level is set to MEDIUM or HIGH.
If contacting an LDAP server to retrieve the CRL, verify that the CRL is present in the LDAP entry being searched and is valid. Verify that the certificate's issuer is the same as the CRL issuer. Contact the certification authority and obtain the required CRL.
If contacting an HTTP server to retrieve the CRL, verify that the CRL is present on the HTTP server. Contact the HTTP server administrator to verify that the CRL is present on the server. If there are crlIssuers present in the CRL distribution point extension, verify that there is at least one match between those and the CRL issuer. If a match cannot be found in the crlIssuers in the CRL distribution point extension or there are no crlIssuers present, verify that the certificate's issuer is the same as the CRL issuer. The HTTP server administrator may need to contact the certification authority to obtain the required CRL.
Collect a System SSL trace containing the error and then contact your service representative if the problem persists.
Access of certificate/key from label could not be resolved because multiple certificates/keys exist with the label.
Correct certificate/key store so that label specifies a unique record.
Access of key from default status could not be resolved because multiple keys are marked as the default key.
Correct the certificate/key store so that only one key is marked as the default key.
The specified digest algorithm and the key algorithm are incompatible.
Specify a digest algorithm that is compatible with the signing key algorithm.
The input buffer to gsk_generate_random_bytes is not valid.
Ensure a valid gsk_buffer structure has been supplied to the gsk_generate_random_bytes API. Contact your service representative if the error persists.
The Random Number Generator produced identical consecutive blocks of output data. If in FIPS mode, any further attempts to use System SSL continues to fail until the application is restarted or the executing process is reinitialized.
Restart the SSL application or process to reinitialize the SSL DLLs. If the problem persists, collect a System SSL trace containing the error and contact your service representative.
A Known Answer Test failed to match the expected results. Any further attempts to use System SSL continues to fail until the application is restarted or the executing process is reinitialized.
Restart the SSL application or process to reinitialize the SSL DLLs. If the problem persists, collect a System SSL trace containing the error and contact your service representative.
The API is not supported. An attempt was made to use an API that is not supported in the current mode of operation (FIPS or non-FIPS).
Ensure that the API being used is supported in the mode in which the application is executing. If you are invoking a FIPSonly API, you must restart your application in FIPS mode.
While executing in FIPS mode, an attempt was made to open a key database that is non-FIPS.
Specify a key database that meets FIPS 140-2 criteria, if running in FIPS mode.
While executing in non-FIPS mode, an attempt was made to open a FIPS key database for update.
To open a FIPS key database for update, you must be executing in FIPS mode.
While executing in non-FIPS mode, an attempt was made to switch to FIPS mode.
Once executing in non-FIPS mode it is not possible to switch to FIPS mode.
A request to execute in FIPS mode failed because the required System SSL DLLs could not be loaded.
Ensure that the Cryptographic Services Security Level 3 FMID is installed and that module verification has been setup correctly. See System SSL module verification setup for module verification information. Module verification failures may also result in RACF messages (for example, ICH440I) being written to the console with information about the failure. If the module verification problem persists, collect a System SSL trace containing the error and then contact your service representative.
The Certificate Policies extension of the certificate does not contain an acceptable policy as required by the application or an issuing certificate.
Ensure that the certificate chain is valid and the user certificate is intended to be used for the required purpose.
The specified variable argument count is not valid.
Specify a valid variable argument count.
A certificate extension that is mandatory for the certificate to be used for the required purpose has not been found.
Ensure that the certificate chain is correct and complies with the validation mode defined for the connection. Collect a System SSL trace containing the error and then contact your service representative if the error persists.
If performing a PKCS #7 operation to encode a signer identifier, ensure that the certificate has a subject key identifier extension.
A certificate extension has incorrect data or has a necessary field missing.
Ensure that the certificate chain is correct and complies with the validation mode defined for the connection. Collect a System SSL trace containing the error and then contact your service representative if the error persists.
A critical indicator for a certificate extension is incorrect. Either the extension is required to be marked critical and is marked non-critical or is required to be marked non-critical and is marked critical.
Ensure that the certificate chain is correct and complies with the validation mode defined for the connection. Collect a System SSL trace containing the error and then contact your service representative if the error persists.
The certificate or CRL undergoing validation contains multiple certificates or CRL extensions of the same type.
Ensure that the certificate chain is correct and complies with the validation mode defined for the connection. Collect a System SSL trace containing the error and then contact your service representative if the error persists.
Ensure that the certificate chain is correct and complies with the validation mode defined for the connection. Collect a System SSL trace containing the error and then contact your service representative if the error persists.
While executing in FIPS mode, a key pair was generated that failed a pair-wise consistency check. Any further attempts to use System SSL continues to fail until the application is restarted or the executing process is reinitialized.
Restart the SSL application or process to reinitialize the SSL DLLs. If the problem persists, collect a System SSL trace containing the error and then contact your service representative.
A gsk_buffer structure containing the prime for the DSA or Diffie-Hellman key was not supplied in the gsk_private_key or gsk_public_key structure.
Ensure that the prime value for the DSA or Diffie-Hellman key is defined in the gsk_private_key or gsk_public_key structure.
A gsk_buffer structure containing the sub_prime for the DSA key was not supplied in the gsk_private_key or gsk_public_key structure.
Ensure that the sub prime value for the DSA key is defined in the gsk_private_key or gsk_public_key structure.
A gsk_buffer structure containing the base for the DSA or Diffie-Hellman key was not supplied in the gsk_private_key or gsk_public_key structure.
Ensure that the base value for the DSA or Diffie-Hellman key is defined in the gsk_private_key or gsk_public_key structure.
A gsk_buffer structure containing the private value for the DSA or Diffie-Hellman key was not supplied in the gsk_private_key structure.
Ensure that the private value for the DSA or Diffie-Hellman key is defined in the gsk_private_key structure.
A gsk_buffer structure containing the public value for the DSA or Diffie-Hellman key was not supplied in the gsk_public_key structure.
Ensure that the public value for the DSA or Diffie-Hellman key is defined in the gsk_public_key structure.
The structure containing the private key components was not supplied on the call.
Supply the structure containing the private key components on the function call.
The structure containing the public key components was not supplied on the call.
Supply the structure containing the public key components on the function call.
The value of the size field in the structure indicates that the size of the structure is insufficient.
Ensure that the size field in the structure being used is initialized to the size of structure.
The elliptic curve domain parameters that are defined for the elliptic curve public or private key are not supported.
Ensure the elliptic curve public/private key pair uses a supported elliptic curve. See Using cryptographic features with System SSL for the list of elliptic curves that are supported by System SSL.
A gsk_buffer structure containing the EC domain parameters was not supplied on the call.
Supply a gsk_buffer structure containing the EC domain parameters on the function call.
A gsk_buffer structure containing the signature was not supplied on the call.
Supply a gsk_buffer structure containing the signature on the function call.
The EC domain parameters that are defined for the elliptic curve public or private key are not valid. Either no parameters could be found or the parameters could not be successfully decoded.
Ensure the elliptic curve public/private key pair uses a valid elliptic curve.
The EC domain parameters that are defined for the elliptic curve public or private key are not approved in FIPS mode.
Ensure the elliptic curve for the public or private key is valid in FIPS mode. See System SSL and FIPS 140-2 for a list of elliptic curves that are supported by System SSL when running in FIPS mode.
A cryptographic process cannot be completed because of ICSF callable services being unavailable.
Ensure that ICSF is running and operating correctly.
While running in FIPS mode, an attempt was made to use ICSF PKCS #11 services, which were not operating in FIPS mode.
Ensure that ICSF is configured to run in FIPS mode.
A supplied key uses an algorithm type that is not suitable for the requested function. This error can occur if a non-ECC key has been supplied to an ECC related function, or if incompatible keys are supplied for certificate creation, such as a certificate containing a Diffie-Hellman key to be signed with an ECDSA key.
Ensure the key supplied uses a suitable key algorithm type. Collect a System SSL trace containing the error to verify the key algorithms. Contact your service representative if the error persists.
The current time is after the nextUpdate time specified in the CRL.
Obtain the latest copy of the CRL from the certification authority.
A call requiring cryptographic hardware was made to ICSF. The current installation hardware does not support the service or algorithm being used. The cryptographic hardware may not have the required level of support to perform an RSASSA-PSS signing. For more information about the cryptographic hardware support for RSASSA-PSS, see RSASSA-PSS signature support.
Ensure that the correct protocol is in use for your installation or that cryptographic hardware that is required for this service or algorithm is available to ICSF.
An attempt was made to use ICSF PKCS #11 services, which are disabled because of an ICSF FIPS self-test failure.
Stop and restart ICSF. System SSL may need restarting to regain the full hardware benefit from ICSF. Contact your service representative if the error persists.
A Known Answer Test failed because of ICSF returning an error. Any further attempts to use System SSL continues to fail until the application is restarted or the executing process is reinitialized.
The specified variable argument validate root is not valid.
Specify a valid variable argument validate root.
The PKCS #11 secure key label name is not valid. This might be because the label is NULL, an empty string, or has only an equal sign (=).
Verify that input label is correct.
One or more PKCS #11 attributes or parameters for a key are missing or incorrect for a requested function that is being performed. For example, a signing operation requires that for the key that is being used, the PKCS #11 sign attribute is to be TRUE. Verify that the correct key is being used for the requested function, and that all required attributes are set for that key. If using gsk_make_enveloped_private_key_msg(), ensure that a recipient certificate's RSA public key is valid.
Verify that a certificate's PKCS #11 key attributes are correct for the function that is being performed.
PKCS #11 token, token object, or session object are not found.
Verify that a PKCS #11 token or token object is in the TKDS data set. Also, verify that the session object is not lost because of ICSF restarting after the object is created.
ICSF is in FIPS mode. A call to ICSF for cryptographic or signing support failed because the input key algorithm or size is not supported in FIPS mode. For example, an RSA key size of 512 is not supported in FIPS mode.
An attempt to export a PKCS #11 secure key failed because PKCS #11 attribute CKA_EXTRACTABLE is set to CK_FALSE.
Verify that input label is correct. If it is correct, then the key cannot be exported.
Unable to generate clear keys or PKCS #11 objects because of the caller's RACF access to CRYPTOZ class resource CLEARKEY.SYSTOK-SESSION-ONLY or CLEARKEY.token_name not permitting the generation of non-secure (clear) PKCS #11 keys.
Ensure that the user ID of the application has appropriate access to the RACF CRYPTOZ class resource CLEARKEY.SYSTOK-SESSION-ONLY. If using gskkyman, ensure issuer also has access to resource CLEARKEY.token_name. token_name is the name of the PKCS #11 token that is being managed by gskkyman.
The OCSP responder contacted for certificate validation requires that all OCSP requests be signed.
Enable OCSP request signing by specifying a valid database handle (ocspDbHandle), label of signing certificate (ocspReqlabel), and the signature algorithm (ocspReqSignatureAlgorithm) within the OCSP data source structure.
The HTTP response received was not properly formatted or contents are not valid. The HTTP response received must be an HTTP/1.0 or HTTP/1.1 response.
Ensure that the HTTP server is running, that there are no network errors, and the HTTP server sends its responses using HTTP/1.0 or HTTP/1.1 protocols. Collect a System SSL trace containing the error and then contact your service representative if the error persists.
The OCSP ASN.1 encoded response received from the OCSP responder was not properly formatted or its contents are not valid.
Ensure that the OCSP responder server is properly encoding the OCSP response, that it is running, and that there are no network errors. Collect a System SSL trace containing the error and then contact your service representative if the error persists.
The OCSP responder contacted for certificate validation returned an internal error.
Ensure that the OCSP responder server is running and that there are no network errors. Collect a System SSL trace containing the error and then contact your service representative if the error persists.
The current time is after the OCSP response expiration time.
If using the dedicated OCSP responder, ensure that the OCSP responder server is using the most recent revocation information available from the certification authority. If certificate revocation through the AIA extension is enabled, ensure that the OCSP responder servers referenced in the certificate chain are using the most recent revocation information available. Collect a System SSL trace containing the error and then contact your service representative if the error persists.
A numeric value specified as either a parameter to or as a field within the data structure is not valid. If using the gsk_construct_signed_crl() routine, the this_update time must be less than the CRL expiration time.
Verify that all numeric values specified contain numeric values that are within acceptable ranges. If using the gsk_construct_signed_crl() routine, specify a this_update time that is less than the CRL expiration time. The CRL expiration time is the earlier of the next_update time or the signing certificate's expiration time.
The PKCS #7 CMS version is not supported.
Verify that the PKCS #7 CMS version is supported by System SSL.
The required input field, certificate, is missing.
Verify that the input certificate is not NULL.
An internal error was encountered while creating the OCSP request to send to an OCSP responder.
If OCSP request signing is enabled, verify that the signing certificate resides in the handle returned from gsk_open_keyring() or gsk_open_database() and the signing certificate is valid (start time is before the current time and is not yet expired) and contains a private key. The handle is provided through the ocspDbHandle field within the gskdb_ocsp_source structure provided on the gsk_create_revocation_source() routine. The signing key label is provided through the ocspReqLabel field within the gskdb_ocsp_source structure provided on the gsk_create_revocation_source() routine.
Collect a System SSL trace containing the error and then contact your service representative if the error persists.
When attempting to retrieve revocation information, the HTTP response exceeded the maximum configured response size for either an OCSP response or a HTTP CRL. The response size is provided through either the ocspMaxResponseSize or httpCdpMaxResponseSize fields within the gskdb_ocsp_source or gskdb_cdp_source structures provided on the gsk_create_revocation_source() routine.
Ensure that the HTTP response maximum size is adequate for the size of the CRLs or OCSP responses that are being retrieved. If necessary, increase the maximum response size until an adequate size is provided to handle the CRLs or OCSP responses that are being retrieved. If unable to determine an adequate size, collect a System SSL trace containing the error and then contact your service representative.
Unable to establish a connection to contact the HTTP server or the OCSP responder to retrieve certificate revocation information.
If enabled for OCSP and a dedicated OCSP responder is enabled, ensure that the responder is running and can be accessed.
If enabled for OCSP responders identified in the certificate AIA extension, ensure that the OCSP responders specified in the extension are running and can be accessed.
If HTTP CRL support is enabled, ensure that the HTTP server specified in the CRL Distribution Point extension is running and can be accessed.
If there is a firewall in place and either an HTTP proxy server or port or an OCSP proxy server or port has been identified, ensure that the servers and ports settings are correct and the servers can be accessed. The proxy server and ports are specified through the gskdb_ocsp_source and gskdb_cdp_source structures provided on the call to the gsk_create_revocation_source() routine.
Collect a System SSL trace containing the error and then contact your service representative if the error persists.
The specified variable argument security level is not valid.
Specify a valid variable argument security level.
The extended key usage input count must be at least 1.
Verify that the extended key usage count is equal to the number of extended key usages provided. The count may not be less than 1.
The extended key usage structure x509_key_usages is NULL or the x509_key_purpose structure within x509_key_usages is NULL.
Verify that x509_key_usages is not NULL and that x509_key_purpose is not NULL within x509_key_usages.
The extended key usages comparison failed. The user-supplied validation parameter and extended key purpose list did not compare favorably to the certificate's extended key usage extension values.
The extended key usage comparison failed. Verify that the desired validation option is correct for your use.
The extended key usage type should be a value defined within x509_purpose_type. Purpose types x509_purpose_unknown and x509_purpose_maximum are invalid. Use special case GSKCMS_VALIDATE_EXTENDED_KEY_USAGE_CHECK_OID only if OID comparison is required.
Verify that the input x509_purpose_type is defined within the x509_purpose_type and is not x509_purpose_unknown, x509_purpose_maximum, or special case GSKCMS_VALIDATE_EXTENDED_KEY_USAGE_CHECK_OID.
The specified certificate does not have an extended key usage extension.
Verify that the input x509_certificate has an extended key usage extension defined.
When validating the nonce in the OCSP response, the value did not match the value sent in the OCSP request.
If OCSP is enabled for the dedicated OCSP responder, ensure that the OCSP responder server is configured to send a nonce in OCSP responses.
Ensure that nonce checking is required. If not required, set ocspCheckNonce to FALSE within the gskdb_ocsp_source structure provided on the gsk_create_revocation_source() routine.
Collect a System SSL trace containing the error and then contact your service representative if the error persists.
The time limit indicated in the value for ocspResponseTimeout in the OCSP data source has been exceeded.
Ensure that the HTTP server where the OCSP responder resides is available and able to process OCSP requests. Verify that the value for ocspResponseTimeout in the OCSP data source is sufficient to receive a complete response from the HTTP server containing the OCSP responder.
The current time is earlier than the validity period of the revocation information provided though either an OCSP response or CRL.
Ensure that the system time is configured correctly. Collect a System SSL trace containing the error and then contact your service representative if the problem persists.
The URI value in the AIA extension or the CDP extension is not in the correct format or cannot be resolved by the Domain Name Service (DNS). The correct URI format is http://hostname[:portNumber].
If an OCSP data source has been provided and the ocspEnable parameter is enabled, verify that the certificate being verified has a URI value in the AIA extension that is properly formatted and can be resolved by the DNS. It may be necessary to obtain a new certificate or to specify the ocspProxyServerName and ocspProxyServerPort parameters if there is a need to pass through a firewall. If the ocspURL or ocspProxyServerName parameters are specified, verify that the host name and the IP address is properly formatted and can be resolved by the DNS.
If an CDP data source has been provided and the cdpEnableFlags parameter is enabled for HTTP URIs, verify that the certificate being verified has a URI value in the CDP extension that is properly formatted and can be resolved by the DNS. It may be necessary to obtain a new certificate or to specify the httpCdpProxyServerName and httpCdpProxyServerPort parameters if there is a need to pass through a firewall.
The System SSL runtime library detected an internal processing error.
Retry the operation. If the problem persists, collect a System SSL trace containing the error and then contact your service representative.
During the certificate validation processing for mode RFC 2459 or ANY, an intermediate CA certificate was encountered outside of a trusted certificate source which does not have a basic constraints extension.
The specified untrusted certificate sources that was passed on either the gsk_validate_certificate_mode() or gsk_validate_certificate() API needs to be examined to determine which intermediate CA certificate is being disallowed. Either the intermediate CA certificate should be replaced with a valid Version 3 certificate or if the usage of the CA certificate is acceptable, the certificate needs to be moved to a trusted certificate source and removed from the untrusted certificate source.
If the error persists after adding the certificates, or if the certificates can not be readily obtained, collect a System SSL trace containing the error and then contact your service representative.
When reading the certificates of the specified PKCS #12 file, a certificate was encountered that had no subject distinguished name or PKCS #12 friendly name.
Verify that all certificates within the provided PKCS #12 file have either a subject distinguished name or a friendly name attribute. The friendly name attribute or the subject distinguished name is used to create the certificate's label.
A PKCS #12 file name cannot end with .kdb, .rdb or .sth.
Verify that the PKCS #12 file name does not end with .kdb, .rdb or .sth. If it does, it needs to be renamed.
One or more required parameters in the gskdb_ocsp_source, gskdb_cdp_source, or gskdb_extended_directory_source structures within the gskdb_source structure are not correctly set.
If using the gsk_create_revocation_source() routine to create an OCSP data source, the ocspEnable parameter must be set to TRUE or the ocspURL parameter must be specified. If ocspReqLabel is set, the ocspDbHandle must be specified. The ocspDbHandle is the database handle returned by the gsk_open_database() routine or the gsk_open_keyring() routine that contains the name of the certificate specified in the ocspReqLabel parameter.
If using the gsk_create_revocation_source() routine to create an CDP data source, the httpCdpEnableFlags must be set to either GSKCMS_CDP_ENABLE_HTTP or GSKCMS_CDP_ENABLE_ALL.
If using the gsk_create_revocation_source() routine to create an LDAP extended directory source, the ldapServerName parameter must be specified.
The number of locations allowed by either the max_source_rev_ext_loc_values or max_validation_rev_ext_loc_values parameters to gsk_validate_certificate_mode() has been exceeded. The locations for revocation information are specified by the accessLocation in the AIA certificate extension for OCSP and the distributionPoint in the CDP extension for HTTP CRLs.
Use the values in the certificate chain being validated to determine the proper value for the max_source_rev_ext_loc_values parameter, the max_validation_rev_ext_loc_values parameter, or both. The value for max_source_rev_ext_loc_values must be greater than or equal to the maximum number of location values in a certificate CDP or AIA extensions. The value for max_validation_rev_ext_loc_values must be greater than or equal to the total number of location values in all CDP and AIA extensions used in the certificate chain being validated. Collect a System SSL trace containing the error and then contact your service representative if the problem persists.
The time limit indicated in the value for httpCdpResponseTimeout in the CDP data source has been exceeded.
Ensure that the HTTP server is available and able to process HTTP CRL requests. Verify that the value for httpCdpResponseTimeout in the CDP data source is sufficient to receive a complete response from the HTTP server.
The time limit indicated in the value for ldapResponseTimeout in the extended directory data source or the time out value specified for the basic directory data source has been exceeded. The basic directory data source time out is specified on the gsk_set_directory_numeric_value() routine
Ensure that the LDAP server is available and able to process LDAP CRL requests. Verify that the time out value for the basic or extended directory data source is sufficient to receive a complete response from the LDAP server.
System SSL has detected an unknown processing error.
Collect a System SSL trace containing the error and then contact your service representative.
The OCSP responder is unable to currently process the OCSP request.
Contact the OCSP responder administrator to verify that the OCSP responder is working properly. Then retry the OCSP request at a later time.
The supported signature algorithm pairs list is not correctly formatted.
The OCSP response was signed with an algorithm that was not specified in the OCSP response signature algorithm pairs list.
While executing in FIPS mode (GSK_FIPS_STATE_ON, GSK_FIPS_STATE_LEVEL1, GSK_FIPS_STATE_LEVEL2, or GSK_FIPS_STATE_LEVEL3), an attempt was made to switch to another FIPS mode LEVEL. This is not supported. Only the switch to GSK_FIPS_STATE_OFF is supported.
A FIPS mode LEVEL has already been defined and the only FIPS mode setting change that is allowed is to GSK_FIPS_STATE_OFF. See System SSL and FIPS 140-2 for additional information about operating in FIPS mode.
Correct the OCSP request signing algorithm that is specified in the ocspReqSignatureAlgorithm parameter of the gskdb_ocsp_source structure to a valid one.
The OCSP response from the OCSP responder does not contain the requested certificate status.
Contact the OCSP responder administrator to verify that the OCSP responder is operating as expected. If the error persists, collect a System SSL trace containing the error and then contact your service representative.
The OCSP response from the OCSP responder contains duplicate certificate statuses and it is not possible to determine the revocation status of the requested certificate.
Contact the OCSP responder administrator to verify that the OCSP responder is operating as expected. If the error persists, collect a System SSL trace containing the error and then contact your service representative.
While executing in FIPS mode, a triple DES key was found to not have three unique key parts. This can occur with a user supplied session key or when generating a triple DES key.
A user supplied triple DES key was found to not have three unique parts. Ensure the supplied key is valid.
The certificate in use does not meet the requirements for the Suite B profile that is selected for the environment.
Ensure that the certificate used satisfies the requirements for the chosen Suite B profile. See Suite B cryptography support for more information about Suite B certificate requirements.
Verify that the key database being used is supported. If using gskkyman to display a GSKIT CMS V4 key database, the gskkyman command line mode must be used.
Access to a GSKIT CMS V4 certificate key database is only allowed by the gskkyman utility in command line mode or when creating an SSL/TLS connection.
Specify a valid time value.
An output parameter specified is null or has an invalid value.
Specify a valid output parameter.
The requested certificate revocation list output format is not valid for encoding a certificate revocation list. Certificate revocation lists can be encoded using base64 encoding or DER encoding formats.
Specify an appropriate certificate revocation list encoding format.
System SSL does not support expiration dates that exceed February 6, 2106, at 23:59:59 UTC.
Ensure that the expiration date does not extend past February 6, 2106, at 23:59:59 UTC.
The RSASSA-PSS cryptographic digest algorithm is not supported by the operation or the current level of the System SSL run time. When running in FIPS mode, this error may occur if an attempt is made to use a digest algorithm that is not supported at a specific FIPS mode level. The digest algorithm is specified as part of the RSASSA-PSS parameters. Supported digest types are SHA-256, SHA-384, and SHA-512.
Ensure that the digest algorithm is supported for the requested operation or that it is supported if executing in FIPS mode.
The RSASSA-PSS cryptographic mask generation algorithm specified is not supported by the current level of the System SSL run time. Supported mask type is Mgf1.
Ensure that the mask generation algorithm is supported for the requested operation.
A secure RSA private key residing in the PKDS is an incorrect type to perform RSASSA-PSS digital signing.
Ensure that the secure private has been generated correctly into the PKDS.
The value specified for an input parameter is not a valid value for the requested operation.
Ensure that a valid non-NULL value is specified for the input parameter of the requested operation.
TLS Suite B certificate contains extraneous key usage bits.
For TLS Suite B CA certificates, the certificate sign, CRL sign, digital signature and nonRepudiation bits can be set. All other bits are not allowed to be set.
For TLS Suite B end-entity certificates, the digital signature and nonRepudiation bits can be set. All other bits are not allowed to be set.
Obtain a certificate, which contains the allowed key usage settings.