Troubleshooting
Problem
You are trying to set up CLIENTAUTH for use with CICS Web Services. You receive message DFHAM4889 stating that the CERTIFICATE is not valid when you install the TCPIPSERVICE definition. You generated self-signed certificate with an external security manager (ESM). You contacted vendor and they confirmed that the certificate is valid.
Symptom
DFHAM4889E Install of TCPIPSERVICE resourcenamefailed because CERTIFICATE attname is invalid.
Cause
The certificate label (from a Keyring listing) does not match what you coded in your TCPIPService definition certificate label.
Diagnosing The Problem
The trace shows that CEDA is the running task and has the following trace entries showing exceptions:
XS 0B02 XSCT EXIT INQUIRE_CERTIFICATE/EXCEPTION REASON(CERTIFICATE_INVALID)
SAF_RESPONSE(0) ESM_RESPONSE(0) ESM_REASON(0) TITLE() COMMON_NAME()
SO 0602 SOAD EXIT ADD_REPLACE_TCPIPSERVICE/EXCEPTION
REASON(CERTIFICATE_INVALID) CIPHER_LIST()
If you back up in the trace, you see that your CERTIFICATE_LABEL has "XXXXy" in the trace (for example), but the actual CERTIFICATE_LABEL has 'XXXXyz".
SO 0601 SOAD ENTRY - FUNCTION(ADD_REPLACE_TCPIPSERVICE) STATUS(OPEN)
SSL(CLIENTAUTH) AUTHENTICATION(CERTIFICATE) GRPCRITICAL(NONCRITICAL)
TCPIPSERVICE_NAME(tttttttt) DESCRIPT(dddddddd) URM_NAME(NONE)
PORTNUMBER(nnnn) BACKLOG(1) PRIVACY(SUPPORTED) TRANSACTION(CWXN)
SOCKETCLOSE(FFFFFFFF) PROTOCOL(HTTP) MAXDATA_LENGTH(20)
CERTIFICATE_LABEL(XXXXy) CIPHER_LIST()
XS 0B02 XSCT EXIT INQUIRE_CERTIFICATE/EXCEPTION REASON(CERTIFICATE_INVALID)
SAF_RESPONSE(0) ESM_RESPONSE(0) ESM_REASON(0) TITLE() COMMON_NAME()
SO 0602 SOAD EXIT ADD_REPLACE_TCPIPSERVICE/EXCEPTION
REASON(CERTIFICATE_INVALID) CIPHER_LIST()
If you back up in the trace, you see that your CERTIFICATE_LABEL has "XXXXy" in the trace (for example), but the actual CERTIFICATE_LABEL has 'XXXXyz".
SO 0601 SOAD ENTRY - FUNCTION(ADD_REPLACE_TCPIPSERVICE) STATUS(OPEN)
SSL(CLIENTAUTH) AUTHENTICATION(CERTIFICATE) GRPCRITICAL(NONCRITICAL)
TCPIPSERVICE_NAME(tttttttt) DESCRIPT(dddddddd) URM_NAME(NONE)
PORTNUMBER(nnnn) BACKLOG(1) PRIVACY(SUPPORTED) TRANSACTION(CWXN)
SOCKETCLOSE(FFFFFFFF) PROTOCOL(HTTP) MAXDATA_LENGTH(20)
CERTIFICATE_LABEL(XXXXy) CIPHER_LIST()
Resolving The Problem
Correct the certificate label in your TCPIPSERVICE definition to match your actual certificate label. If your certificate is the DEFAULT certificate, you do not have to specify a certificate label value in the TCPIPService definition, it will be picked up from the default certificate.
[{"Type":"MASTER","Line of Business":{"code":"LOB70","label":"Z TPS"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"ARM Category":[{"code":"a8m0z00000007gUAAQ","label":"Sockets and TCPIP"}],"ARM Case Number":"","Platform":[{"code":"PF035","label":"z\/OS"},{"code":"PF038","label":"z\/VSE"}],"Version":"All Versions"}]
Product Synonym
CICS/TS CICS TS CICS Transaction Server CICS/VSE VSE z/VSE
Was this topic helpful?
Document Information
Modified date:
05 January 2026
UID
swg21419218