IBM i ACS SSL Connections Fail with MSGGEN004

MSGGEN004 generally means there is a configuration issue within SSL causing issues with all SSL connections.  As mentioned above there are various causes to this error. Analysis of communications traces and review of the entire SSL configuration is needed to determine what is not configured correctly. Confirm that all IBM i Host Communications Servers and Telnet server have a valid certificate assigned. If the needed server application doesn't have a certificate assigned, MSGGEN004 will be triggered. 

If you have just upgraded to a new IBM i operating system release, new releases change what is enabled and disabled within System SSL (Especially 7.4). Upgrading to 7.4 is the most common cause of this error as it introduces major changes to System SSL. 7.4 introduces TLSv1.3 and disables most of TLSv1.2 ciphers. If your QSSLCSL and QSSPCL system values are still set to older protocols and ciphers that are now disabled, MSGGEN004 will be triggered. The common issue has been that the QSSL system values have been migrated from the older release and are now no longer valid at 7.4. Best solution is to set the QSSLCSL, QSSCSLCTL, and QSSLPCL system values to *OPSYS (system defaults) to match the new defaults shipped in System SSL with 7.4. Another possibility is that server applications within DCM have been changed from *PGM and have specific protocols and ciphers set as well. Older protocols and ciphers can be re-enabled but not suggested by IBM as it is weakening the security of your system. You may refer to the following documentation or further instructions Configuring Your IBM i System Secure Sockets Layer (SSL)/Transport Layer Security (TLS) Protocols and Cipher Suites.