A fix is available
APAR status
Closed as program error.
Error description
IKEv1 negotiation fails when NSSD is used for certificate services with message EZD1923I A create signature request to the NSS server failed; no matching certificate was found for local security endpoint identity <local_identify_information>. The peer sent a Certificate Request (CertReq) payload identifying its trust anchors and NSSD is not able to find a local identity certificate that can be validated up to one of the trust anchors. The information reported in EZD1923I does not provide enough detail to identify the reason for the failure. Activating NSSD tracing to include SyslogLevel NSS_SYSLOG_LEVEL_VERBOSE will cause message EZD1326I Request type NSS_CreateSignatureReqToSrv with correlator ID <correlator_number> from client <clientname> failed - return code EINVAL reason code NSSRsnNoMatchingCert. The reason code does not distiguish between having no local identity certificate and not having one that can satisfy the supplied CertReq. NSSD should provide a unique reason code when no local identify certificate is available that satisfies the CertReq on an IKEv1 request. The unique reason code should also propogate to a unique IKED message.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * * All users of the IBM Communications Server for z/OS Version * * 2 Releases 2 and 3: IKED and NSSD * **************************************************************** * PROBLEM DESCRIPTION: * * IKED does not provide a unique error message when a create * * signature request to the NSS server fails in the case where * * a certificate was found that matches the local identity but * * was not signed by a Certificate Authority requested by the * * peer. * **************************************************************** * RECOMMENDATION: * * Apply PTF * ****************************************************************
Problem conclusion
The code is amended to provide a unique IKED error message (EZD2046I) to identify that a certificate matching the local identity was found but was not signed by a Certificate Authority requested by the peer. IKED message EZD2046I is added. Documentation is provided at: http://www.ibm.com/support/docview.wss?uid=ibm10876716
Temporary fix
Comments
APAR Information
APAR number
PH07935
Reported component name
TCP/IP MVS
Reported component ID
5655HAL00
Reported release
220
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-01-30
Closed date
2019-03-28
Last modified date
2019-06-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI62200 UI62201
Modules/Macros
EZAI2CIS EZAINCRE EZACLIEU EZAISLOG
Fix information
Fixed component name
TCP/IP MVS
Fixed component ID
5655HAL00
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"220","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSCY4DZ","label":"DO NOT USE"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"220","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
03 June 2019