"ADD" adds a certificate (contained in a data set) to RACF, but *not* to a
keyring. For that you need "CONNECT".
RC 8 means: An error is detected while validating a certificate, so a CA is
missing from the keyring (even though you might've ADDed it to RACF).
IBM says (edited for brevity):
1. Verify that the root CA certificate is in the SAF key ring and is marked
as trusted.
Does...
*racdcert id(CSSMTP) listr(CSSMTPRing)*
...now show that the CSSMTPRing has the mail server's certificate added as
a CERTAUTH? If not then:
*RACDCERT CONNECT(CERTAUTH + LABEL('Email server CA') + RING(CSSMTPRing)
+ USAGE(CERTAUTH) + ) + ID(CSSMTP)*
2. Check all certificates in the certification chain and verify that they
are trusted and are not expired:
*RACFCERT ID(CSSMTP) LISTCHAIN*
3. Issue the *SETROPTS RACLIST (DIGTCERT, DIGTRING) REFRESH* command to
refresh the profiles to ensure that the latest changes are available.
On Sun, 30 Jul 2023 at 12:12, Brian Westerman <[email protected]>
wrote:
> I get
> BPXF024I (TCPIP) Jul 30 01:12:45 TTLS[16777256]: 18:12:45 TCPIP 639
> EZD1286I TTLS Error GRPID: 00000007 ENVID: 00000009 CONNID: 0000009B
> LOCAL: 192.168.1.66..1122 REMOTE: 99.198.97.250..587 JOBNAME: CSSMTP
> USERID: CSSMTP RULE: CSSMTP RC: 8 Initial Handshake 00000000000000
> 00 0000005187621CF0 0000000000000000
>
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to [email protected] with the message: INFO IBM-MAIN
>
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
