Atila Fogarasi wrote:
>Perhaps the cause is the obvious: RACDCERT has some options which
>require ICSF. For example a certificate that is migrated from one RACF
>system to another will have PKDS. So fairly easy to wind up using ICSF
>unexpectedly.
You nailed it. Once I used a RACF certificate instead of a gskkyman database, I
got the failure as well, exactly the same as the customer's. Interesting that
it doesn't say anything about being unable to get the certificate. But I did
find this in the output:
zSSLdoHTTP line:2179 stat: 1 rc: 455 tag: GSK_SECURE_SOCKET_INIT
SSL specific error: ICSF services are not available
zSSLdoHTTP line: 874 stat: 1 rc: 1 tag: connectToServer
zSSLdoHTTP line:1050 stat: 572 rc: -1 tag: done
I hadn't seen this before because for some reason that output (which *is* from
our product!) is going to a different data set, and I was looking at the main
one. My bad. But customer sent the entire thing from SPOOL and now that I know
what to look for, I see it in hers. And I'll figure out why this output is
separate and fix that.
-----Original Message-----
From: Phil Smith III <[email protected]>
Sent: Friday, June 21, 2024 6:12 PM
To: '[email protected]' <[email protected]>; 'IBM Mainframe
Discussion List' <[email protected]>
Subject: gsk and ICSF
(Cross-posted to IBMTCP-L and IBM-MAIN)
Had an odd one this morning: a customer who was doing some testing could not
connect to our server (on premises at their site) from z/OS (server is an x86
Linux machine). I saw the email when I woke up and thought "OK, gsktrace to the
rescue!"
But by the time I got to my desk, I had more email saying "Nevermind, ICSF
wasn't running--once we started it, all is fine". And now that's working, they
can't break it again to run with gsktrace.
Meanwhile, I can connect just fine without ICSF running. Of course, that's to
one of OUR versions of the same server, using one of OUR certificates. Wild
guess is that the customer's cert is using some certificate feature that
requires ICSF interpretation, but I had them send me both the root and the
leaf, and various online cert analyzers don't show anything obvious.
Anyone know of any certificate features that absolutely require ICSF
intervention? Our product uses GSK directly -- no AT-TLS or anything like that.
I realize this is vague but hoping someone (maybe at IBM?) has a guess...
Thanks,
...phsiii
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
