PM01158: FTP CLIENT GETS FTPAUTH: TLS INIT FAILED WITH RC = 201 WHEN KEYRING HAS A LAST EXTENSION GREATER THAN 3 CHARACTERS

APAR status

• Closed as fixed if next.

Error description

• FTP uses the KEYRING statement to build the stash file.  FTP
  replaces the last extension in the KEYRING with a .sth .  If the
  KEYRING has a last extension that is 3 characters or less, then
  SYSTEM SSL builds the stash file in the way FTP is expecting.
  But, if the KEYRING has a last extension of more than 3
  characters, then SYSTEM SSL builds the stash file by taking the
  entire KEYRING and appending .sth .  Since FTP is not expecting
  this, it builds the wrong stash file name, and FTP fails with:
  FC0441 ftpAuth: TLS init failed with rc = 201 (No key database
  password supplied)
  .
  KEYWORDS: FTP SSL TLS sth
  .
  VERIFICATION STEPS:
  A FTP trace with option SEC shows what keyring and stash file
  names.  This will show the stash file used is not the name of
  the stash file that SYSTEM SSL built.
  

Local fix

• Create a KEYRING with a name where the last extension is 3
  characters or less
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: All users of the IBM Communications Server   *
  *                 for z/OS Version 1 Release(s) 9, 10, and     *
  *                 11 IP: FTP                                   *
  ****************************************************************
  * PROBLEM DESCRIPTION: FTP client gets FTPAUTH: TLS INIT       *
  *                      FAILED WITH RC = 201 due to the         *
  *                      stash file name not matching the stash  *
  *                      file name created by SYSTEM SSL.        *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  When the key ring file name has an extension of 3 characters
  or less, then SYSTEM SSL builds the stash file by replacing
  the extension with .sth . In this case both SSL and FTP
  stash file names will match. However, if the key ring file
  name has a last extension which is greater than 3 characters,
  then SYSTEM SSL builds the stash file by taking the entire
  key ring file name and appending .sth . This behavior was not
  clearly documented by SYSTEM SSL so the FTP code incorrectly
  replaced the last extension with .sth regardless of its length.
  This results in the SSL and FTP stash file names not matching,
  so FTP client fails with:
  FC0441 ftpAuth: TLS init failed with rc = 201 (No key database
  password supplied)
  
  
  An easy circumvention for the problem is to create the key ring
  file name where if there are extensions, the last extension
  is 3 characters or less.
  +-------------------------------------------------------------+
  + Please check our Communications Server for OS/390 homepages +
  + for common networking tips and fixes.  The URL for these    +
  + homepages can be found in Informational APAR II11334.       +
  +-------------------------------------------------------------+
  

Problem conclusion

Temporary fix

Comments

• This APAR is being closed FIN (Fixed If Next) with concurrence
  from the submitting customer. This means that a fix to this
  APAR is expected to be delivered from IBM in a release (if any)
  to be available within the next 24 months.
  
  This problem will be tracked as Feature F149520
  by Communications Server for z/OS Development.
  
  The solution for this APAR is included in CS for z/OS Version 1
  Release 12.
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

• R1AX PSN

     UP

• R1A0 PSN

     UP

• R18X PSN

     UP