IBM Support

FTP Client fails with EZA2897I Authentication negotiation failed



FTP client fails with "EZA2897I Authentication negotiation failed" when trying to negotiate a secure FTP session.


The FTP client is trying to establish a secure session with an FTP server. The connection ends with message

    EZA2897I Authentication negotiation failed .

Enabling a client trace by issuing subcommand DEBUG SEC will show message

    ftpAuth: no keyring

before the EZA2897I message. This indicates that the FTP client did not find a key ring file specified in its FTP.DATA file.

Diagnosing The Problem

The FTP client trace should be enabled with option SEC. This can be done by adding DEBUG SEC to the FTP.DATA file or as a command.

Resolving The Problem

The FTP client must be configured with a key ring file in FTP.DATA to negotiate a secure FTP session. See the IP Configuration Reference manual for information on the KEYRING statement. To add a key ring,

  1. Use message EZY2640I to determine the FTP.DATA file being used by the ftp client.

  2. Add the KEYRING statement to FTP.DATA. The KEYRING statement must specify a valid key ring database.

[{"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"All","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"1.6;1.7;1.8;1.9;1.10;1.11;1.12;1.13;2.1;2.2;2.3","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
15 June 2018