z/OS Security Server RACF Messages and Codes
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


IRRI023I

z/OS Security Server RACF Messages and Codes
SA23-2291-00

IRRI023I
RRSF CONNECTION {TO | FROM} system-identifier HAS BEEN REJECTED DUE TO INSUFFICIENT AT-TLS POLICY. THE AT-TLS RULE NAME rule-name SPECIFIES APPLICATION CONTROL.

Explanation

RACF® remote sharing requires its connections to be covered by an AT-TLS rule. It is AT-TLS that provides the authentication of RRSF nodes to one another, and encryption of traffic across the network. The policy rule that matches this connection (the TTLSRule named rule-name) indicates AT-TLS is enabled for this connection, but that the application is responsible for initiating the secure handshake. RRSF does not provide support for this, instead RRSF relies on TCP/IP to establish the secure connection on the behalf of RRSF. See z/OS Security Server RACF System Programmer's Guide for more information about ATTLS.

If the ApplicationControlled keyword is present in the AT-TLS policy information for the RRSF client or server rule, make sure that the value is set to OFF.

In the AT-TLS policy information for the RRSF server rule, make sure that the HandshakeRole keyword is set to ServerWithClientAuth and that the ClientAuthType keyword, if specified, is either Required (the default, if not specified) or SAFCheck.

The value for direction can be TO, when the message is issued by the system that initiated the connection, or FROM, when the message is issued by the system that received the connection request.

When the value of direction is TO, system-identifier is expressed as NODE node-name, followed by SYSNAME system-name if the target is a multisystem node.

When the value of direction is FROM, the communication failed before RRSF identified the peer RRSF node and system name, or determined if the peer is a valid RRSF node. Therefore, system-identifier is expressed as PEER, followed by an IP address and a port number, separated by a colon. If necessary, you can use the z/OS® UNIX host command to map the IP address to a host name. See z/OS Communications Server: IP System Administrator's Commands for more information about the z/OS UNIX host command. For example, if the peer information displayed is 1.2.3.4:1026, issue the following command:
$ host 1.2.3.4                                     
EZZ8321I zossys1.xyz.com 1.2.3.4

System action

The connection is rejected. The RRSF connection is placed in the OPERATIVE-PENDING-VERIFICATION state.

System programmer response

After the security administrator updated the AT-TLS policy, try the connection again with the TARGET OPERATIVE command for the failed node and system.

Routing code

2 and 9

Descriptor code

4

RACF Security Administrator Response

Turn off the application-controlled indicator in the policy definition. See z/OS Security Server RACF System Programmer's Guide for information about RACF requirements.

Parent topic: RRSF handshaking messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014