z/OS Security Server RACF Messages and Codes
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


IRRD156I

z/OS Security Server RACF Messages and Codes
SA23-2291-00

IRRD156I
Keyusage is incompatible with Key algorithm.

Explanation

You are attempting to generate a certificate using either the RACDCERT TSO command or the R_PKIServ callable service. The KeyUsage value is not compatible with the key algorithm.

If you are using the RACDCERT GENCERT command, the valid KeyUsages are:
  • DSA
    • HANDSHAKE
    • DOCSIGN
    • CERTSIGN
If the keyEncipherment, dataEncipherment, keyAgreement, encipherOnly, or decipherOnly bit is on in the request, you must specify compatible KeyUsage or key type values to override those contradicting values in the request.
  • RSA
    • HANDSHAKE
    • DOCSIGN
    • CERTSIGN
    • DATAENCRYPT
  • ECC
    • HANDSHAKE
    • DOCSIGN
    • CERTSIGN
    • KEYAGREE
If the keyEncipherment or dataEncipherment bit is on in the request, you must specify compatible KeyUsage or key type values to override those contradicting values in the request.
If you are using the R_PKIServ callable service GENCERT, REQCERT, or MODIFYREQS, the valid KeyUsages are:
  • DSA
    • DIGITALSIGNATURE (DIGITALSIG)
    • NONREPUDIATION
    • KEYCERTSIGN
    • CRLSIGN
If the keyEncipherment, dataEncipherment, keyAgreement, encipherOnly, or decipherOnly bit is on in the request, you must specify compatible keyusage or key type values to override those contradicting values in the request.
  • RSA
    • DIGITALSIGNATURE (DIGITALSIG)
    • NONREPUDIATION
    • KEYCERTSIGN
    • CRLSIGN
    • KEYENCIPHERMENT (KEYENCRYPT, KEYENCIPH)
    • DATAENCIPHERMENT (DATAENCIPH)
  • ECC
    • DIGITALSIGNATURE (DIGITALSIG)
    • NONREPUDIATION
    • KEYCERTSIGN
    • CRLSIGN
    • KEYAGREE
If the keyEncipherment or dataEncipherment bit is on in the request, you must specify compatible keyusage or key type values to override those contradicting values in the request.

System action

RACDCERT or R_PKIServ processing ends. RACF® prevents the request from completing.

User response

Select a different KeyUsage, generate a new PKCS #10 certificate, if applicable, or contact your system programmer or web page administrator.

Application Programmer Response

Modify the application invoking the R_PKIServ callable service to provide different KeyUsage values.

Web Page Administrator Response

If R_PKIServ is being invoked from the PKI Services CGIs, modify the certificate template definition in the pkiserv.tmpl file to provide different KeyUsage values in the <CONSTANT> section.

Parent topic: RACDCERT command messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014