"ADD" adds a certificate (contained in a data set) to RACF, but *not* to a keyring. For that you need "CONNECT".
RC 8 means: An error is detected while validating a certificate, so a CA is missing from the keyring (even though you might've ADDed it to RACF). IBM says (edited for brevity): 1. Verify that the root CA certificate is in the SAF key ring and is marked as trusted. Does... *racdcert id(CSSMTP) listr(CSSMTPRing)* ...now show that the CSSMTPRing has the mail server's certificate added as a CERTAUTH? If not then: *RACDCERT CONNECT(CERTAUTH + LABEL('Email server CA') + RING(CSSMTPRing) + USAGE(CERTAUTH) + ) + ID(CSSMTP)* 2. Check all certificates in the certification chain and verify that they are trusted and are not expired: *RACFCERT ID(CSSMTP) LISTCHAIN* 3. Issue the *SETROPTS RACLIST (DIGTCERT, DIGTRING) REFRESH* command to refresh the profiles to ensure that the latest changes are available. On Sun, 30 Jul 2023 at 12:12, Brian Westerman <brian_wester...@syzygyinc.com> wrote: > I get > BPXF024I (TCPIP) Jul 30 01:12:45 TTLS[16777256]: 18:12:45 TCPIP 639 > EZD1286I TTLS Error GRPID: 00000007 ENVID: 00000009 CONNID: 0000009B > LOCAL: 192.168.1.66..1122 REMOTE: 99.198.97.250..587 JOBNAME: CSSMTP > USERID: CSSMTP RULE: CSSMTP RC: 8 Initial Handshake 00000000000000 > 00 0000005187621CF0 0000000000000000 > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN