IBM Support

ITX map failure with message 'gsk secure soc init failed 414 GSK ERROR BAD CERT'

Troubleshooting


Problem

An IBM Transformation Extender (ITX) map using the GSKit secure libraries to establish a secure connection may fail with the error message - 'gsk secure soc init failed 414 GSK ERROR BAD CERT' when the 'authentication' value is set to 'on' in the [SSL_CLIENT] section of the dtx.ini file.

Symptom

An examination of the adapter trace may show:

WSAConnectSSL: GSK Error Code: 414, GSK_ERROR_BAD_CERT.

An examination of the wtxsslclient.log trace file shows:

SSLCONN: gsk_secure_soc_init failed and returned: 414 (GSK_ERROR_BAD_CERT)
SSLCONN: Server's certificate validation result returned: 575059 (GSKVAL_ERROR_BAD_ACCEPTABLE_POLICIES)
SSLLastSocketError: Failure message = GSK Error Code: 414, GSK_ERROR_BAD_CERT.

Cause

The ITX implementation of secure HTTP connections has enabled GSK_VACCINATE. This is an API setting that, in turn, enables GSK_PKIX_CERT_VALIDATION_MODE_ON.

IBM has explicitly said it wants its application (ITX) to use the more secure PKIX Certificate Validation based on RFC 5280 (Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile).

Environment

IBM Transformation Extender secure HTTP adapter connections using the GSKit library on any supported platform.

Diagnosing The Problem

Review the logs looking for the symptoms above

Resolving The Problem

Contact your certificate provider about the certificate policy mismatch issue.

It may be helpful to send the following references to the certificate issuer for them to be able to correct the certificates that were issued:

- RFC 5280 4.2.1.4

In an end entity certificate, these policy information terms
indicate the policy under which the certificate has been issued
and the purposes for which the certificate may be used. In a
CA certificate, these policy information terms limit the set of
policies for certification paths that include this certificate.

When a CA does not wish to limit the set of policies for
certification paths that include this certificate, it MAY assert
the special policy anyPolicy, with a value of { 2 5 29 32 0 }.

- RFC 5280 6.1.3 Step D

This contains a detailed algorithm for Policy Processing

- PKITS 4.8.3

For testing and test cases.

[{"Product":{"code":"SSVSD8","label":"IBM Transformation Extender"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"HTTP\/S Adapter","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"9.0.0.0;9.0.0.1;9.0.0.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]

Document Information

Modified date:
29 September 2018

UID

swg22007560

Page Feedback