NSS XMLAppliance client API return codes and reason codes
The following table lists and describes the possible return codes and reason codes returned by the NSS server to NSS XMLAppliance clients.
| Return code (NMsMRc) | Reason code (NMsMRsn) | Description |
|---|---|---|
| 0 | 0 | No error |
| EINVAL(121) | NMsRsnBadIdent (1) | Invalid message or record identifier supplied
in message. System Action: Request is
failed but connection remains open.
Response: Re-issue the request and send a correctly formatted message
|
| EINVAL(121) | NMsRsnBadVersion (2) | Invalid version supplied in message header. System Action: Request fails but connection
remains open.
Response: Send a
correctly formatted message.
|
| EINVAL(121) | NMsRsnBadType (3) | Unsupported or unknown message type supplied
in message header. System Action: Request
is failed but connection remains open.
Response: Send a supported message type.
|
| EINVAL(121) | NMsRsnExcessiveSize (4) | Excessive message size. System Action: Connection is closed.
Response: Re-issue the connection and
send a correctly formatted message.
|
| EINVAL(121) | NMsRsnHdrSize (5) | Message header size is not valid. System Action: Request is failed but connection
remains open.
Response: Send
a message with the header size field set to the correct value.
|
| EINVAL(121) | NMsRsnMsgSize (6) | Message size is not valid. For example, the
message may be too short, or the message size may be greater than
the sum of its parts. System Action: Request is failed but connection remains open.
Response: Send a correctly formatted message.
|
| EINVAL(121) | NMsRsnReservedNonzero (7) | Reserved data in message header, record header,
or record data is non-zero value. Reserved fields must be set to
0 for compatibility with any future versions of the interface. System Action: Request is failed but connection
remains open.
Response: Send
a message with reserved fields set to 0.
|
| EINVAL(121) | NMsRsnRecordLength (8) | Unrecognized record length supplied in message.
Length does not correspond to known record data. System Action: Request is failed but connection
remains open.
Response: Send a
message with input filters of the correct length.
|
| EINVAL(121) | NMsRsnRecordCount (9) | Unsupported record count supplied in message.
NMI requests currently support a maximum of twenty input records. System Action: Request is failed but connection
remains open.
Response: Send
a message with the correct number of input filters.
|
| EINVAL(121) | NMsRsnSectionLength (10) | Unrecognized section length supplied in record.
Length does not correspond to known section data. System Action: Request is failed but connection
remains open.
Response: Send
a message with correct input filters.
|
| EINVAL(121) | NMsRsnSectionCount (11) | Unrecognized section count supplied in record.
NMI requests currently allow one section in an input record. System Action: Request is failed but connection
remains open.
Response: Send
a message with correct input filters.
|
| EINVAL(121) | NMsRsnClientAlreadyConnected (10002) | The remote client name is already registered
with the NSS server. NSS client names must be unique. System Action: Connection is closed.
Response: Re-issue the connection request
using a unique client name.
|
| EINVAL(121) | NMsRsnNoMatchingCert (10004) | The NSS server could not find a matching certificate.
The certificate does not exist on the NSS servers configured keyring,
it is marked untrusted, or the NSS client does not have the authority
to use the certificate. System Action: Request is failed but connection remains open.
Response: Re-issue the request with an existing,
trusted, and authorized certificate label.
|
| EINVAL(121) | NMsRsnNoCertRep (10014) | The NSS server does not have a certificate repository
available to process the request. System Action: Request is failed but connection remains open.
Response: Start the appropriate application
logic.
|
| EINVAL(121) | NMsRsnInvalidService (10021) | A service has been requested that is not affiliated
with the requested discipline. System Action: Connection is closed.
Response: Re-attempt the connection and request only the services
affiliated with the requested discipline.
|
| EINVAL(121) | NMsRsnInvalidIdentity (10022) | The SAF user access check request did not contain
a valid user identity. The SAF ID is not recognized or, if a certificate
was provided as input to the NSS_CheckUserAccessReqToSrv, no valid
certificate name filter mapping is defined in RACF®. System Action: NSS server processing continues.
Response: SEnsure that the user identity is entered correctly and
reissue the request.
|
| EINVAL(121) | NMsRsnInvalidSAFClass (10023) | The SAF class specified in the NSS_SAFCheckUserAccessReqToSrv
message was unsupported. System Action: None.
Response: Contact the
NSS client vendor. The SERVAUTH class is the only currently-supported
SAF class.
|
| EINVAL(121) | NMsRsnInvalidProfileLength (10024) | The SAF user access check request contained
an invalid profile length. System Action: NSS server processing continues.
Response: Contact the NSS client vendor. The maximum profile length
for the SERVAUTH class is 64 bytes.
|
| EINVAL(121) | NMsRsnInvalidDiscipline (10025) | The discipline specified in the connection request
contains an invalid value. System Action: Connection is closed.
Response: Re-attempt the connection and pass in a valid discipline.
|
| EINVAL(121) | NMsRsnBadUpdate (10026) | The client has attempted to update its client
information using values that cannot be changed after the initial
connection has succeeded. System Action: Request is failed but connection remains open.
Response: Re-attempt the update by changing
only those fields which are acceptable under and update.
|
| EINVAL(121) | NMsRsnInvalidAPIVersion (10027) | An NSS client has attempted to connect to the
NSS server and has specified adherence to an API version that is insufficient
for the requested discipline. System Action: Connection is closed.
Response: Contact the NSS client vendor. NSS XMLAppliance clients
must adhere to NMsec_NSS_API_VERSION2 (2) or higher.
|
| EINVAL(121) | NMsRsnInvalidAccessLevel (10028) | The SAF user access check request contained
an invalid value for the requested access level. System Action: NSS server processing continues.
Response: Contact the NSS client vendor.
Supported access levels are:
|
| EINVAL(121) | NMsRsnInvalidClientName (10029) | NSS_ConnectClientReqToSrv or NSS_UpdateClientInfoReqToSrv
request is invalid. System Action: If the client name is invalid on the connect, the request is failed
and the connection is closed. If the client name is invalid on the
update, the request is failed, the connection remains open, but the
client remains in the update pending state until a valid update is
provided.
Response: Re-attempt
the connect or update by providing a valid NSS client name. Valid
characters are [a-zA-Z0-9_-]. The client name must be left-justified
and blank-padded. Embedded spaces are invalid.
|
| EINVAL(121) | NMsRsnInvalidCertLabelName (10030) | The NSS XMLAppliance client request contained
an invalid value for the requested certificate label name. System Action: NSS server processing continues.
Response: The NSS client should re-issue
the request with a valid certificate label name. The values accepted
in this field are documented in the request input for the NSS_GetCertificateReqToSrv
call.
|
| EINVAL(121) | NMsRsnNoPrivateKey (10031) | The certificate does not contain the private
key. System Action: Request is failed
but connection remains open.
Response: If the certificate is intended to have a private key,
then contact the NSSD administrator to determine what action to take.
|
| EACCES(111) | NMsRsnDisconnectPending (1) | A client disconnect operation is pending, so
no new request messages are being accepted. System Action: Request is rejected and connection
is eventually closed.
Response: Stop sending requests for this connection. Reconnect to the server
and re-issue the request.
|
| EACCES(111) | NMsRsnUpdatePending (2) | A client update operation is pending, so no
new request messages are being accepted. System Action: None.
Response: Re-issue
the request.
|
| EACCES(111) | NMsRsnNoAuthForService (4) | Userid is not authorized to use the NSS server
for the requested service. System Action: Connection is closed.
Response: Ensure that the clients access to the requested service is defined
in the servers SERVAUTH profiles (EZB.NSS.sysname.clientname.discipline.service).
|
| EACCES(111) | NMsRsnUserAuthentication (10001) | User authentication failed. System Action: NSS server processing continues.
Response: Ensure that the userid is
defined in the server's security manager and that the password or
passticket is formed correctly.
|
| EACCES(111) | NMsRsnSAFUserNotAuthenticated (10002) | The SAF user identity specified in the request
failed authentication. System Action: The NSS server successfully completed the authentication check. Processing
continues.
Response: NSS client
independent. The NSS client should react accordingly.
|
| EACCES(111) | NMsRsnSAFUserAccessDenied (10003) | The SAF user access check indicates access denied
from the security server. System Action: The NSS server successfully completed the access check. Processing
continues.
Response: NSS client
independent. The NSS client should react accordingly.
|
| EACCES(111) | NMsRsnSAFResourceError (10004) | The SAF user access check indicates that a SAF
server is not installed, has not been started, or the specified class
is not active, is not defined, or that no profile exists for the specified
resource. System Action: The NSS server
failed to complete the access check. Processing continues.
Response: NSS client independent. The
NSS client should react accordingly. Most commonly this reason code
indicates that the profile that was queried does not exist. It would
then be up to the NSS client to decide whether this implies access
denied or access granted.
|
| EACCES(111) | NMsRsnUnsupportedDiscipline (10005) | The discipline specified in the connection request
is currently disabled in the NSS server. System Action: Connection is closed.
Response: Modify the NSS server configuration to enable the specified
discipline.
|
| EACCES(111) | NMsRsnNoAuthForPrivKey (10006) | Userid is not permitted to use the requested
certificate's private key. System Action: Request is failed but connection remains open.
Response: Permit user to security resource
SERVAUTH profile EZB.NSSCERT. sysname.mappedlabelname. PRIVKEY
|
| EACCES(111) | NMsRsnPrivKeyProtected (10007) | The certificate's private key is protected from
being retrieved. System Action: Request
is failed but connection remains open.
Response: If the private key is intended to be retrieved, then
contact the NSSD administrator to determine what action to take.
|
| EACCES(111) | NMsRsnPrivKeyNotProtected (10008) | The certificate's private key is not stored
in the ICSF PKA key data set (PKDS). Signature generation and decryption
require use of certificates for which the private keys are stored
in the ICSF PKDS. System Action: Request
is failed but connection remains open.
Response: If the private key is intended to be used for signature
generation or decryption, then contact the NSSD administrator to
determine what action to take.
|
| EACCES(111) | NMsRsnNoAuthForCert (10009) | Userid is not permitted to retrieve the requested
certificate. System Action: Request
is failed but connection remains open.
Response: Send a message with correct input filters. Permit user
to proper security resource SERVAUTH profiles: Read access to either
of the following profiles will authorize the NSS server to retrieve
the requested certificate:
|
| ENOMEM(132) | 0 | Insufficient storage available in the server
to process the request. System Action: Request is failed but connection remains open.
Response: Increase the REGION size for the
NSS server, or send a message with a narrower set of input filters
to limit the response.
|
| ENOLCK(131) | 0 | Failed to obtain an internal lock. System Action: Request fails but connection
remains open. A message will appear in the MVS™ system log with additional diagnostic information.
Response: Contact IBM® service.
|
| EGSKCMS(10004) | See gskcms.h. The Reason code represents the GSK (system SSL) return code provided on the failed call. | A System SSL error was encountered when issuing
a System SSL library call. The NSS reason code will contain the System
SSL CMS Status Code. System Action: Request is failed but connection remains open.
Response: Review the system SSL CMS status
codes from z/OS Cryptographic Services System SSL Programming.
|
| ECSFBEXT(10005) | The high-order 16 bits of the reason code represent the ICSF return Code. The low-order 16 bits of the reason code represent the ICFS reason code. | An Integrated Cryptographic Service Facility
(ICSF) error was encountered while performing an RSA operation. The
reason code will contain the ICSF return code(high order 16 bits)
and reason code(low order 16 bits). System Action: Request is failed but connection remains open.
Response: Review the ICSF return and
reason codes from z/OS Cryptographic Services ICSF Application Programmer's Guide.
|