IBM Support

Errors at Startup with AT-TLS Enabled

Troubleshooting


Problem

The TCPIP stack has been configured to enable Application Transparent Transport Layer Security (AT-TLS); the TTLS keyword was added to the TCPCONFIG statement and the appropriate policies defined in the TTLSConfig input to Policy Agent. When some servers or other applications are started, they receive an EAGAIN errno (EDC5112I Resource temporarily unavailable.) with reason code (errno2, errnojr) 74580296 or 74610296 (JRTCPNOTACTIVE - No AF_INET socket provider is active).

Symptom

  • If OMPROUTE is affected, the following message is generated:
    EZZ7814I UNABLE TO CREATE SOCKET TYPE 1, ERRNO=112:EDC5112I RESOURCE

    • TEMPORARILY UNAVAILABLE., ERRNO2=74580296
  • If Policy Agent is affected, the following message is written to the configured SYSLOGD file:
    SYSERR :001: plfm_kernel_init: socket(INET, DGRAM, 0) failed, errno=EDC5112I Resource temporarily unavailable., errno2=74610296
  • FTP client invocations get the following message:
    EZA2590E socket error from initIPv4Connection - EDC5112I Resource temporarily unavailable. (errno2=0x74580296)
  • The EZZ4248E TCPIP WAITING FOR PAGENT TTLS POLICY message remains highlighted during the period of these failures.

  • If using RACF the following message might be generated for each attempt:

    • ICH408I USER(USER4   ) GROUP(OEA     ) NAME(####################)
      EZB.INITSTACK.MVS180.TCPIP CL(SERVAUTH)
      INSUFFICIENT ACCESS AUTHORITY
      FROM EZB.INITSTACK.** (G)
      ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   )

Cause

Until Policy Agent has installed the AT-TLS policies, TCPIP will prevent applications from creating a TCP socket unless they have READ access to the EZB.INITSTACK.sysname.tcpname resource (or a matching generic name) in the SERVAUTH class.

Systems that do not have any profile that matches EZB.INITSTACK.sysname.tcpname might not get a security violation message, yet the start attempt will still fail. This is because some SAF products (including RACF) do not record a violation just because a profile does not exist. However the TCPIP stack will reject the attempt as if the ID did not have access.

Resolving The Problem

All address spaces that need to be active before AT-TLS services are available (which include OMPROUTE and Policy Agent) need to be included in the access list for the EZB.INITSTACK.sysname.tcpname resource. All other applications need to wait until those services are available, as indicated by the EZZ4250I AT-TLS SERVICES ARE AVAILABLE FOR tcpname message.


For servers started by the AUTOLOG statement, that processing can be automatically delayed by adding DELAYSTART TTLS to their AUTOLOG entry. Note: this is only available for systems running z/OS 1.10 or above.

Related Information

AT-TLS Description

[{"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"--","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"1.7;1.8;1.9;1.10;1.11;1.12;1.13;2.1;2.2;2.3","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Document Information

Modified date:
23 June 2018

UID

swg21407350

Page Feedback