IKYI002I SAF Service IRRSPX00 Returned SAF RC = nn RACF RC = nn RACF RSN = nn {diagnostic-information}
Explanation
A user is requesting PKI Services. The PKIServ web application called the IRRSPX00 SAF callable service as requested. The service was unsuccessful. The diagnostic information that follows the message describes the problem in greater detail.
The text items listed here comprise all of the possible values for diagnostic-information in this message and in message IKYU002I.
- 1
- Incorrect field name specified in CertPlist: <field-name>.
- 2
- <field-name> has an incorrect value.
- 3
- Required field <field-name> missing from the request.
- 4
- Request denied, not authorized.
- 5
- Certificate generation provider is not available [for CA domain <CA-domain-name>].
- 6
- Certificate generation provider indicated the following error: <provider-specific-error-msg>.
- 7
- Incorrect CertId PassPhrase specified.
- 8
- Request has been rejected by the administrator.
- 9
- Request is still pending approval or yet to be issued.
- 10
- Incorrect certificate specified.
- 11
- The certificate could not be {renewed | revoked} because of a state change.
- 12
- Incorrect {CertId | Serial Number} specified.
- 13
- The status of the {request | certificate} has been changed by another process.
- 14
- {CertIds | SerialNums} has an incorrect length.
- 15
- CertAnchor area missing.
- 16
- CertAnchor area too small.
- 17
- CertPlist has an incorrect length.
- 18
- CertPlist DiagInfo field missing or has an incorrect length.
- 19
- Conflicting field names specified in CertPlist : field-name.
- 20
- Incorrect action specified.
- 21
- Incorrect status criteria specified.
- 22
- Incorrect transaction ID specified.
- 23
- Incorrect reason specified.
- 24
- Incorrect SerialNum specified.
- 25
- SerialNums has an incorrect length.
- 26
- Summary list or CertPlist area missing.
- 27
- Summary list or CertPlist area too small.
- 28
- A parameter list error has been detected.
- 29
- An internal error has occurred during RACF® processing.
- 30
- Unable to establish recovery environment.
- 31
- Function code specified is not defined.
- 32
- Parameter list version specified is not supported.
- 33
- RACF not installed.
- 34
- Certificate generation provider internal error.
- 35
- Unexpected error.
- 36
- Incorrect value specified for CA domain.
- 37
- Client already preregistered.
- 38
- The ReadyMessageForm or the RecoverForm is not set up correctly. The ReadyMessageForm is required to request a certificate. The RecoverForm is required to recover a certificate whose keys were generated by PKI Services.
- 39
- The email containing the transaction ID link to pick up the certificate was not sent successfully. The requester needs to contact the administrator.
- 40
- The email containing the key ID link to recover the certificate was not sent successfully. The recovery process stops.
- 41
- The requester’s email address for the certificate could not be modified because the key is not generated by PKI Services.
- 42
- The certificate could not be renewed because the requester’s email address has been changed.
- 43
- The certificate could not be deleted from the token data set (TKDS) although it was deleted from the issued certificate list (ICL).
System action
The request is not performed.
User response
Correct the problem if applicable. If you cannot correct the problem, contact your web administrator.
For problem 9, try to retrieve your certificate again later. The amount of time you need to wait depends on your PKI Services operating procedures and settings. If you continue to get this message, contact your PKI Services administrator.
Web administrator response
Problems 1, 2, and 3 probably indicate an error with the certificate template. Change the certificate template definition in the pkiserv.tmpl file to correct the error.
Problem 4 indicates the user ID assigned to the unit of work calling the IRRSPX00 callable service is not RACF-authorized to perform the request. Determine if the user should have access. If so, use RACF commands to permit the user ID to the required resources.
Problem 5 indicates the PKI Services daemon process has not been started. If PKI Services is configured for multiple-CA mode then the CA domain name is displayed as part of the diagnostic information. Start the correct instance of PKI Services; then retry the request.
For problems 6-13, 22, and 24, or for more information about any of the preceding problems, see earlier chapters in this document and z/OS Security Server RACF Callable Services.
For problems 14-21, 23, and 25-35, report the error to the IBM® support center.
For problem 36, PKI Services is configured for multiple-CA mode, but the CA domain name as found in the URL contains characters that cannot be used as a CA domain name. Correct the value in the URL; then retry the request.
Problems 38, 39 and 40 probably indicate an error with the value specified in the ReadyMessageForm or the RecoverForm in the configuration file. Change the value in the pkiserv.conf file to correct the error.
For problem 43, you need to remove the orphaned TKDS objects yourself; for example, by using ICSF panels.
PKI Services administrator response
For problem 9, locate the pending certificate request using the PKI Services administration web pages, and approve or reject the request.