AT-TLS and IPsec certificate diagnostics

z/OS® V2R5 Communications Server provides additional certificate diagnostic data to allow you to more quickly determine the cause of an AT-TLS or IPsec negotiation failure. New syslogd messages are provided to identify certificate validation errors detected when processing a peer’s certificate.

Restrictions:

Certificate diagnostic messages are provided when the validation of the peer’s certificate fails. For validation failures accessing the local certificate, certificate diagnostic data is not provided.
For IPsec negotiation failures due to errors with the peer’s certificate, certificate diagnostic data will only be provided when the failure is detected by System SSL.

Dependencies:

The syslog daemon (i.e. syslogd) must be active. For AT-TLS and IPsec, the additional certificate diagnostic messages are written to syslogd.

Using AT-TLS and IPsec certificate diagnostics

To enable AT-TLS and IPsec certificate diagnostics, perform the tasks in Table 1.

Table 1. AT-TLS and IPsec certificate diagnostics
Task/Procedure	Reference
If you use AT-TLS to secure connections, view the tracing levels enabled in the AT-TLS policy. When the trace level includes error, message "EZD2052I TTLS Certificate Diagnostics" is written to syslogd when additional certificate information is available for a negotiation failure. When the trace level includes event, messages "EZD2053I TTLS Certificate Diagnostics Details" and "EZD2054I TTLS Certificate Diagnostics Data Sources" are written to syslogd when additional certificate information is available for a negotiation failure.	In z/OS Communications Server: IP Configuration Reference, Trace parameter in TTLSGroupAction statement TTLSEnvironmentAction statement TTLSConnectionAction statement Rule Advanced Settings, Tracing tab in Network Configuration Assistant
If you use IPsec to secure network traffic, view the log levels enabled in the IKED configuration file. When the log level includes level 1 (default level), message "EZD2055I Certificate Diagnostics" is written to syslogd when additional certificate information is available for a negotiation failure. When the log level includes level 4 (debug for security association negotiations), messages "DEBUGSA : Certificate Diagnostics Details" and "DEBUGSA : Certificate Diagnostics Data Sources" are written to syslogd when additional certificate information is available for a negotiation failure.	IkeSyslogLevel parameter in IkeConfig statement in z/OS Communications Server: IP Configuration Reference IKE Daemon Syslog Trace in Network Configuration Assistant

To find all related topics about AT-TLS and IPsec certificate diagnostics, see Table 2.

Table 2. All related topics about AT-TLS and IPsec certificate diagnostics
Book name	Topics
z/OS Communications Server: IP Diagnosis Guide	Common problems Error codes Steps for diagnosing AT-TLS problems AT-TLS traces AT-TLS return codes
z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)	EZD0902I EZD1139I EZD2052I EZD2053I EZD2054I EZD2055I