DFHXS1402


    Explanation
      There has been a request to an External Security Manager to inquire the client principal of a kerberos token obtained from a Security Token Service but the request failed. A request to inquire a client principal results in a call to one or more z/OS callable services that may have failed. An example of when an inquire the client principal request can be issued is with EXEC CICS VERIFY TOKEN. The reason shown in the message indicates the cause of the failure.

      Reasons:

      
          R_TICKETSERV service responded not authorized by ESM

          
            The External Security Manager did not authorize a request to the z/OS R_TICKETSERV callable service to inquire a client principal.

          
          Security not active

          
            CICS security is not active.

          
          ESM not active

          
            The External Security Manager is not active.

          
          KDC not active

          
            The Key Distribution Center is not active.

          
          KDC not responding

          
            The Key Distribution Center is not responding.

          
          R_TICKETSERV service responded not a kerberos region

          
            A request to the z/OS R_TICKETSERV callable service to inquire a client principal returned a response from the External Security Manager that the CICS region is not defined to use kerberos.

          
          R_TICKETSERV service responded invalid client principal name

          
            A request to the z/OS R_TICKETSERV callable service to inquire a client principal returned a response from the External Security Manager that the client principal name is invalid.

          
          R_TICKETSERV service responded invalid kerberos token

          
            A request to the z/OS R_TICKETSERV callable service to inquire a client principal returned a response from the External Security Manager that the kerberos token is invalid.

          
          R_TICKETSERV service responded ticket expired

          
            A request to the z/OS R_TICKETSERV callable service to inquire a client principal returned a response from the External Security Manager that the interval during which the ticket is valid has expired.

          
          R_TICKETSERV service responded authenticator expired

          
            A request to the z/OS R_TICKETSERV callable service to inquire a client principal returned a response that the difference between the time in the kerberos token and the current system time exceeds the limit for the External Security Manager to authenticate.

          
          Unclassified ESM error

          
            A response from the External Security Manager was received which is not classified by CICS.

          
          R_TICKETSERV service responded invalid server principal name

          
            A request to the z/OS R_TICKETSERV callable service to inquire a client principal returned a response that the server principal in the kerberos token does not match the principal name associated with the CICS region userid.

          
          R_USERMAP service responded no userid for client principal

          
            A request to the z/OS R_USERMAP callable service responded that the External Security Manager does not have a userid mapped to the client principal name.

          
          R_USERMAP service responded not authorized by ESM

          
            The External Security Manager did not authorize a request to the z/OS R_USERMAP callable service to obtain the userid mapped to the client principal name.

          
          R_GENSEC ACCEPT service responded attempted replay

          
            The External Security Manager detected an attempt to replay a prior request. For example, there has been a second attempt to run EXEC CICS VERIFY TOKEN KERBEROS ENCRYPTKEY for the same kerberos token.

          
          R_GENSEC ACCEPT service did not return an output token

          
            The External Security Manager did not return an output token when expected for EXEC CICS VERIFY TOKEN KERBEROS OUTTOKEN.

          
    System action
      CICS continues.

    
    User response
      Contact your security administrator for assistance. Your security administrator may also need the contents of messages DFHXS1400 and DFHXS1401.

    
    Module
DFHXSKR

    XMEOUT parameters/Message inserts
      
      
          date
        

          time
        

          applid
        

        Value chosen from the following options:

              
                1=R_TICKETSERV service responded not authorized by ESM., 
              

                2=Security not active., 
              

                3=ESM not active., 
              

                4=KDC not active., 
              

                5=KDC not responding., 
              

                6=R_TICKETSERV service responded not a kerberos region., 
              

                7=R_TICKETSERV service responded invalid client principal name., 
              

                8=R_TICKETSERV service responded invalid kerberos token., 
              

                9=R_TICKETSERV service responded ticket expired., 
              

                10=R_TICKETSERV service responded authenticator expired., 
              

                11=Unclassified ESM error., 
              

                12=R_TICKETSERV service responded invalid server principal name., 
              

                13=R_USERMAP service responded no userid for client principal., 
              

                14=R_USERMAP service responded not authorized by ESM., 
              

                15=R_GENSEC ACCEPT service responded attempted replay., 
              

                16=R_GENSEC ACCEPT service did not return an output token.
              

          X'safresp'
        

          X'safreas'
        

          X'esmresp'
        

          X'esmreas'
        

          taskid
        

          tranid
        

          userid
        

    Destination
      
      CSCS