z/OS Security Server RACF Messages and Codes
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


IRRC130I

z/OS Security Server RACF Messages and Codes
SA23-2291-00

IRRC130I
SYSTEM SSL FUNCTION x RETURNED ERROR CODE nnn DURING OPERATION NUMBER opcode WHILE PROCESSING THE [PASSWORD | PASS PHRASE] ENVELOPE FOR USER name.

Explanation

An unexpected error was detected when using System SSL functions to create a PKCS #7 envelope that contains the new password or password phrase for user name.

System action

The system continues processing.

System programmer response

In Table 1, the values of x correspond with the System SSL services that might be called during RACF® processing of password envelopes.
Table 1. System SSL functions
x System SSL function
'00002'X 
gsk_open_keyring
'00004'X 
gsk_get_default_key
'00008'X 
gsk_make_data_content
'00010'X 
gsk_make_signed_data_content
'00020X 
gsk_get_record_by_index
'00040'X 
gsk_make_enveloped_data_content
'00080'X 
gsk_make_content_msg
'01000'X 
gsk_read_content_msg
'02000'X 
gsk_read_signed_data_content
'04000'X 
gsk_read_enveloped_data_content
'08000'X 
gsk_read_data_content
Table 2 shows information about common error conditions.
Table 2. SSL error conditions
x System SSL function nnn Possible cause
'02'X 
gsk_open_keyring
 
'03353009'X
 
IRR.PWENV.KEYRING not defined, or 
specified in incorrect case, or not
owned by the RACF subsystem user ID.
 
'03353017'X
 
The RACF subsystem does not have 
the trusted or privileged attribute, 
and does not have at least READ
authority to IRR.DIGTCERT.LISTRING
in the FACILITY class.
'04'X 
gsk_get_default_key
 
'0335300E'X
 
The certificate for RACF was not added 
to the key ring as the DEFAULT certificate.
'40'X 
gsk_make_enveloped_data_content
 
'03353033'X
 
No recipient certificates have been added 
to the key ring, or the certificates do 
not have TRUST status. 
'03353026'X
 
A certificate was created without the 
KEYUSAGE value of HANDSHAKE.
'4000'X 
gsk_read_enveloped_data_content 
'03353033'X
 
Insure the certificate for RACF is on the
keyring as the DEFAULT and has TRUST status
and KEYUSAGE of HANDSHAKE, DATAENCRYPT,
and DOCSIGN.

Determine the source of the problem by reading the documentation for the failing function (API) and returned error code in ../com.ibm.zos.v2r1.gska100/gsk2aa00.htm. If the problem continues or if the value of x does not appear in Table 1, contact your system support center. The operation number opcode is an internal RACF value that might assist IBM® support in diagnosing the problem.

If more diagnostic data is required, enable System SSL tracing by issuing the subsystem SET TRACE(SYSTEMSSL) command, then have the user attempt to change the password or password phrase again. System SSL trace records are created in a z/OS® UNIX file named /tmp/gskssl.racf.pid.trc, where pid is the process identifier of the RACF task that invoked System SSL. Look for the trace record corresponding to the failing API. See z/OS Security Server RACF Command Language Reference for details about the SET command. See z/OS Cryptographic Services System SSL Programming for information about the System SSL APIs and on collecting trace records.

Routing code

2

Descriptor code

6

Parent topic: RACF subsystem messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014