z/OS Security Server RACF Messages and Codes
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


IRRI022I

z/OS Security Server RACF Messages and Codes
SA23-2291-00

IRRI022I
RRSF CONNECTION {TO | FROM} system-identifier HAS BEEN REJECTED DUE TO INSUFFICIENT AT-TLS POLICY. THE AT-TLS RULE NAME rule-name IS DISABLED.

Explanation

RACF® remote sharing requires its connections to be covered by an AT-TLS rule. It is AT-TLS that provides the authentication of RRSF nodes to one another, and encryption of traffic across the network. The policy rule that matches this connection (the TTLSRule named rule-name) indicates that AT-TLS should not be used. See z/OS Security Server RACF System Programmer's Guide for more information about ATTLS.

The value for direction can be TO, when the message is issued by the system that initiated the connection, or FROM, when the message is issued by the system that received the connection request.

When the value of direction is TO, system-identifier is expressed as NODE node-name, followed by SYSNAME system-name if the target is a multisystem node.

When the value of direction is FROM, the communication failed before RRSF identified the peer RRSF node and system name, or determined if the peer is a valid RRSF node. Therefore, system-identifier is expressed as PEER, followed by an IP address and a port number, separated by a colon. If necessary, you can use the z/OS® UNIX host command to map the IP address to a host name. See z/OS Communications Server: IP System Administrator's Commands for more information about the z/OS UNIX host command. For example, if the peer information displayed is 1.2.3.4:1026, issue the following command:
$ host 1.2.3.4                                     
EZZ8321I zossys1.xyz.com 1.2.3.4

System action

The connection is rejected. The RRSF connection is placed in the OPERATIVE-PENDING-VERIFICATION state.

System programmer response

After the security administrator updated the AT-TLS policy, try the connection again with the TARGET OPERATIVE command for the failed node and system.

Routing code

2 and 9

Descriptor code

4

RACF Security Administrator Response

Implement AT-TLS policy for this connection and enable the rule. Also, review the AT-TLS policy and ensure that the TTLSEnabled flag, in the TTLSGroupAction statement for the RRSF server and client, rules are set to ON. See z/OS Security Server RACF System Programmer's Guide for information about RACF requirements.

Parent topic: RRSF handshaking messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014