IBM Support

IT14411: SSL CREATION ERROR WHEN CHANGING KEY_STORE_TYPE "ERROR IN RING_NAME LENGTH OR RACF_USERID LENGTH"

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as Permanent restriction.

Error description

  • After install of TPC for Replication for Z/OS v 5.2.8 when
    changing the key_store_type from JKS to JCERACFKS getting SSL
    certificate errors associated to the Keyring in RACF.  Error in
    Ring_name length or RACF_userid length
    ERROR   ] CWPKI0804E: SSL certificate creation error. Unable to
    create SSL key file:
    /shared/tpcr/opt/Tivoli/RM/wlp/usr/servers/replicationServer/res
    ources/sec
    ERROR   ] CWPKI0033E: The keystore located at
    /shared/tpcr/opt/Tivoli/RM/wlp/usr/servers/replicationServer/res
    ources/security/safkeyring:/WASKeyring.WASOEM1 di.........
    Error found in FFDC log file:
    Exception = java.io.IOException
    Source = com.ibm.ws.ssl.config.WSKeyStore$1
    probeid = do_getKeyStore
    Stack Dump = java.io.IOException: Error in Ring_name length or
    RACF_userid length
        at com.ibm.crypto.provider.RACFInputStream.a(Unknown Source)
        at com.ibm.crypto.provider.RACFInputStream.<init>(Unknown
    Source)
        at
    com.ibm.crypto.provider.safkeyring.a.getInputStream(Unknown
    Source)
        at java.net.URL.openStream(URL.java:1054)
        at
    com.ibm.ws.ssl.config.WSKeyStore.openKeyStore(WSKeyStore.java:98
    3)
        at
    com.ibm.ws.ssl.config.WSKeyStore$1.run(WSKeyStore.java:691)
        at
    com.ibm.ws.ssl.config.WSKeyStore$1.run(WSKeyStore.java:557)
        at
    java.security.AccessController.doPrivileged(AccessController.jav
    a:420)
        at
    com.ibm.ws.ssl.config.WSKeyStore.obtainKeyStore(WSKeyStore.java:
    557)
        at
    com.ibm.ws.ssl.config.WSKeyStore.do_getKeyStore(WSKeyStore.java:
    538)
        at
    com.ibm.ws.ssl.config.WSKeyStore.getKeyStore(WSKeyStore.java:743
    )
        at
    com.ibm.ws.ssl.config.WSKeyStore.initializeKeyStore(WSKeyStore.j
    ava:836)
        at
    com.ibm.ws.ssl.config.WSKeyStore.<init>(WSKeyStore.java:210)
        at
    com.ibm.ws.ssl.internal.KeystoreConfig.updateKeystoreConfig(Keys
    toreConfig.java:90)
        at
    com.ibm.ws.ssl.internal.KeystoreConfigurationFactory.updated(Key
    storeConfigurationFactory.java:86)
        at
    com.ibm.ws.config.admin.internal.ManagedServiceFactoryTracker$2.
    run(ManagedServiceFactoryTracker.java:274)
        at
    java.util.concurrent.Executors$RunnableAdapter.call(Executors.ja
    va:483)
        at java.util.concurrent.FutureTask.run(FutureTask.java:274)
        at
    com.ibm.ws.config.admin.internal.UpdateQueue$Queue.run(UpdateQue
    ue.java:67)
        at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java:1157)
        at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java:627)
        at java.lang.Thread.run(Thread.java:798)
    Caused by: java.io.IOException: Error in Ring_name length or
    RACF_userid length
        at com.ibm.crypto.provider.RACF.getRecords(Native Method)
    Keyring name is being incorrectly parced.
    key.store.location=safkeyring:///WASKeyring.WASOEM1
    Escape characters are incorrectly removed and result is:
    location = "safkeyring:/WASKeyring.WASOEM1
    

Local fix

  • Use default key instead of custom keyring.
    .
    RECREATE STEPS:
    Change the key_store_type from JKS to JCERACFKS.  Use a keyring
    in RACF instead of the default Key.
    ________________________________________________________________
    DB2 Version used for Server:          N/A
    The defect is against component:      5608TRMZ0
    Server/Manager build/release (TPC):      5.2.8
    ________________________________________________________________
    Problem as described by customer:      Unable to use custom
    Keyring in RACF.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * Tivoli Storage Productivity Center for Replication 5.2.x     *
    * users                                                        *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * See ERROR DESCRIPTION.                                       *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Migrate to Copy Services Manager 6.1.1 or later.             *
    ****************************************************************
    

Problem conclusion

  • No fix is available for Tivoli Storage Productivity Center
    5.2.x.  A fix is available in Copy Services Manager 6.1.1 and
    later.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT14411

  • Reported component name

    TPC

  • Reported component ID

    5608TPC00

  • Reported release

    528

  • Status

    CLOSED PRS

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-03-22

  • Closed date

    2016-08-04

  • Last modified date

    2018-09-17

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    IT16262

Modules/Macros

  • TPCR
    

Fix information

Applicable component levels

[{"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSNE44","label":"Tivoli Storage Productivity Center"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"528"}]

Document Information

Modified date:
24 June 2022