IBM Support

EZD1075I Received ISAKMP error notification message : Invalid Certificate

Troubleshooting


Problem

The IKE daemon received an ISAKMP error notification message. This error indicates that a security association (SA) negotiation failure occurred. This message can appear when migrating from z/OS Firewall Technologies to use the integrated IPSec function of z/OS Communications Server.

Symptom

When attempting to establish a dynamic security association (also known as a VPN tunnel) with a Nokia firewall, IKED may issue message:

EZD1075I Received ISAKMP error notification message: Invalid Certificate

Cause

The Nokia firewall may have a configuration option turned on in its IPSec definitions for the certificates to indicate it was expecting to receive a certificate from Sentry (the started task name for Firewall Technologies).
After the migration to IKED, the source of the certificate no longer comes from Sentry but is sent from IKED resulting in the certificate being rejected and message EZD1075I being displayed..

Diagnosing The Problem

Set IkeSyslogLevel 255 in the IKED configuration file to get more detailed information of this failure. EZD1075I is issued when the peer detects an error and sends notification of it back to IKED. Therefore the peer has to be investigated to see why it rejected the certificate.

Resolving The Problem

Re-configure the Nokia firewall to turn off the extra layer of certificate checking.

[{"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"All","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"1.8;1.9;1.10;1.11;1.12;1.13;2.1;2.2","Edition":"All Editions","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Document Information

Modified date:
15 June 2018

UID

swg21289153

Page Feedback