Technote (troubleshooting)
Problem(Abstract)
An application that uses Secure Sockets Layer (SSL) communication is being tested with a virtual time defined in the ATF Virtual Clock Data set (VCD). However all attempts to establish an SSL session fail.
Symptom
The exact message issued will vary by application. Typically, it will show that the call to gsk_secure_socket_init() set the return code to 401 (GSK_ERR_BAD_DATE).
Cause
The System SSL functions run in the application's address space. When the Language Environment runtime modules being used for that application are the version updated by the ATF ZAPs (as described in the ATF for z/OS Installation and Customization manual), these functions will use the ATF virtual time for validity checking of all certificates used for a connection. If the virtual time is outside of the start to end range for a certificate, the SSL negotiation will fail.
Resolving the problem
If practical, renew the affected certificate(s) with a date range sufficient to cover the virtual time being used. Otherwise use a copy of the LE runtime modules that have all of the ATF hooks provided in the appropriate ZAP member applied except for those referencing the @@TODMVS CSECT.
.
.
.
REP 000000 0A??
IDRDATA CIKLE1xZ
*
NAME CEEEV003 @@TODMVS
VER 000000 B2051020
REP 000000 0A??
IDRDATA CIKLE1xZ
*
NAME CEEEV003 EDCTZNMV
.
.
.
REP 000000 0A??
IDRDATA CIKLE1xZ
*
NAME CELHV003 @@TODMVS
VER 000000 B2051020
REP 000000 0A??
IDRDATA CIKLE1xZ
*
NAME CELHV003 EDCTZNMV
.
.
.
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.