A fix is available
APAR status
Closed as program error.
Error description
Phase 1 Security association fails to be created with messages : EZD1008I 0368 System SSL CMS call "copy_decoded_cert_extension" failure : 00000001 Handle is not valid EZD0963I Internal Error 0799 - unable to obtain memory of size 752 EZD0984I IKE function 0A27 - doi->GetCertByID() failed : 0 | 0 | EZD0984I IKE function 0A38 - getMyKeyPairByAlg() failed : 0 | 0 EZD0984I IKE function 1A49 - getMyKeyPair() failed : 0 | 0 | EZD0984I IKE function 0A7C - kep->process_msg() failed : -2 | 0 EZD0984I IKE function 0AC6 - process_phase1_msg() failed : 0 | 0 EZD0984I IKE function 0824 - isakmp_anchor::msg_handler(IKEBuffer *, sa_addr &, sa_addr &, stackObj *) failed : 409 | -1 | process_msg The cause of the failure is related to the LOCAL IKE certificate that is being read from the IKE keyRing cert cache. The ceritficate was defined with subjectaltnames set with othername:OID instead of IP address, FQDN, etc..... Additional Symptom(s) Search Keyword(s): subject altnames OID SYSTCPIK component trace collected during the failure shows the following trace record: Unknown subjectAltName type 7 found; no copy done
Local fix
create IKE certificate using subjectname of IPaddress, FQDN, etc instead of OID values
Problem summary
**************************************************************** * USERS AFFECTED: All users of the IBM Communications * * Server for z/OS Version 1 Release 13 * * IKED server's local certificate * * services. * **************************************************************** * PROBLEM DESCRIPTION: A phase 1 SA negotiation failed. * * IKED wrote the following message * * to syslog: EZD1008I * * 0368 System SSL CMS call * * "copy_decoded_cert_extension" * * failure : 00000001 Handle is not * * valid. * **************************************************************** * RECOMMENDATION: Apply PTF. * **************************************************************** The phase 1 negotiation failed because the certifcate used to authenticate the local security endpoint contained a subjectAltName type that IKED did not recognize. +-------------------------------------------------------------+ + Please check our Communications Server for OS/390 homepages + + for common networking tips and fixes. The URL for these + + homepages can be found in Informational APAR II11334. + +-------------------------------------------------------------+
Problem conclusion
IKED's local certifcate processing is updated to ignore unrecognized subjectAltName types. * Cross Reference between External and Internal Names EZAIKAUT (ASN@UTIL) EZAIKFIN (FW@INITT) EZAIKPKI (PKI390 )
Temporary fix
Comments
APAR Information
APAR number
PI47342
Reported component name
TCP/IP V3 MVS
Reported component ID
5655HAL00
Reported release
1D0
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2015-08-21
Closed date
2015-09-17
Last modified date
2015-12-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI31276 PI51556 PI51557
Modules/Macros
EZAIKAUT EZAIKFIN EZAIKPKI
Fix information
Fixed component name
TCP/IP V3 MVS
Fixed component ID
5655HAL00
Applicable component levels
R1D0 PSY UI31276
UP15/11/21 P F511
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1D0","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSCY4DZ","label":"DO NOT USE"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1D0","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
02 December 2015