Hello Roberto. In RACF-land, I'd look for an ICH message on the console to make sure you don't need to PERMIT the client or the server access to the keyring. I've found the gsk trace file to be very helpful--if the security manager doesn't tell you via a console message. Telling PAGENT about the security change might also be needed on the side that's failing.
Here is a section of some documentation I wrote up for debugging such errors for one of our products: ----------------------------------------------------------------------------------------------------------------- (One of the examples:) EZD1287I TTLS Error RC: 406 Initial Handshake 477 LOCAL: 172.29.127.60..1173 REMOTE: 172.29.127.60..5401 JOBNAME: MBXWL RULE: MBX_STC_Rule The RC values are most helpful. Since there is a policy used for both inbound (MBX_CICS_Rule) and outbound (MBX_STC_Rule—note the rules in play are also displayed on the console), there will likely be two EZD1287I messages displayed if there is a problem. (Both sides will experience a problem.) You can find an explanation for these in the SC14-7495-30 Cryptographic Services System Secure Sockets Layer Programming manual, currently in chapter 13. SC27-3651-30 IP Configuration Reference contains the syntax for the AT-TLS policy (/etc/pagent_TTLS.conf). GC27-3652-30 IP Diagnosis Guide may be useful if you are getting GSK errors. SA23-2292-30 Security Server RACF Command Language Reference contains the syntax for the RACDCERT instructions. If you need to see the GKY messages, set the Trace value in the TTLSGroupAction parms for both the MBX_CICS_Rule and MBX_STC_Rule to Trace 255. When you upload /etc/pagent_TTLS.conf, the policy agent will re-install the policy. If you make RACF changes to the keyrings, you need to tell the policy agent to refresh it’s settings for them. You can do this by changing the EnvironmentAction value & reloading the pagent_TTLS.conf file. ----------------------------------------------------------------------------------------------------------------- HTH, Wendell ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
