IBM Support

Resolving a CTGDIS748E error when using the system.getRacfCredentialObject() utility.

Troubleshooting


Problem

When Tivoli Directory Integrator (TDI) is executing a getRacfCredentialObject() call to retrieve the RACF password Envelope, the following error is thrown: CTGDIS183E Error while mapping attribute 'password' in the Input Attribute Map of Component 'lookupPassword' (lookupPassword.Input.password). java.lang.Exception: CTGDIS748E SignedData does not have certificate: X.509.

Symptom


The CTGDIS748E SignedData does not have certificate: X.509 error message is seen in the TDI ibmdi.log file when executing system.getRacfCredentialObject() in a TDI script.

The function call syntax:


// Decrypt password envelope
pass = system.getRacfCredentialObject(psssbytes, "key.jks", "recipient_pass", "recipient_alias","key_pass", "key.jks", "signer_pass", "signer_alias");

SAMPLE:

pw = system.getRacfCredentialObject(pwbytes,"/opt/IBM/TDI/V7.1/keystores/racfKeystore.jks", "password-Recipient" ,"envelope alias", "password","/opt/IBM/TDI/V7.1/keystores/racfKeystore.jks",
"password-Signer","envelope alias");

Cause

The certificate keystore file, in this example (/opt/IBM/TDI/V7.1/keystores/racfKeystore.jks) does not have the signer certificate that it is expected, resulting in SignedData does not have certificate: X.509.

Environment

This situation can occur when using the TDI zOSLDAPChangelogConnector,

Diagnosing The Problem

1. Enable ssl debug in the TDI solution.properties file to show the handshake message.


    In solution.properties un-comment and set the value accordingly.
        javax.net.debug=ssl
    Restart the TDI server.

2. Using a keystore Management Utility, review the certificate signer details. The keystore file should contain a signer certificate from the RACF system.

3. Review Class RacfCredential information in the TDI java documentation in com.ibm.di.util package.

Resolving The Problem

  • Obtain the RACF public-key exported certificate and add to the keystore file used in the function call.

To obtain the RACF certificate:

    All of the certificate processing would fall under the RACDCERT command.

    There are a lot of sub-commands.


    Assuming this intermediate CA cert was added to RACF as a CA, you can list out the whole CA section via:
RACDCERT CERTAUTH LIST(*)
    Scan the output to find the one of interest.
    To pull it out to a dataset, determine the LABEL name (first line of the output for each cert):
    RACDCERT CERTAUTH EXPORT (LABEL('the_label_here') ) DSN('dataset_name') FORMAT(pick_the_one_you_want)
/* the default FORMAT is CERTB64 */
  • Import the certificate into the keystore file.
[{"Product":{"code":"SSCQGF","label":"Tivoli Directory Integrator"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"General","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1.1;7.0;7.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

More support for:
Tivoli Directory Integrator

Software version:
7.1.1, 7.0, 7.1

Document number:
490789

Modified date:
16 June 2018

UID

swg21635342

Page Feedback