Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
IRRI031I z/OS Security Server RACF Messages and Codes SA23-2291-00 |
|
IRRI031I RRSF CONNECTION {TO | FROM} system-identifier HAS
BEEN REJECTED BECAUSE RACF COULD
NOT VERIFY AT-TLS POLICY. THE service-name SERVICE DETECTED
A SOCKET EXCEPTION. ExplanationRACF® remote sharing requires its connections to be covered by an AT-TLS rule. It is AT-TLS that provides the authentication of RRSF nodes to one another, and encryption of traffic across the network. RRSF uses the select() service (BPX1SEL) to force the underlying TLS handshake to occur so that the AT-TLS policy for this connection can be verified. The select() returned with a socket exception. There might be a setup error with AT-TLS policy or with the underlying key ring and digital certificates. See the AT-TLS errors section in z/OS Security Server RACF Diagnosis Guide for more information about what you can check. If you cannot determine the cause of the error, contact IBM® service. You might find helpful information for IBM service in the AT-TLS trace records on both the local and remote systems. The value for direction can be TO, when the message is issued by the system that initiated the connection, or FROM, when the message is issued by the system that received the connection request. When the value of direction is TO, system-identifier is expressed as NODE node-name, followed by SYSNAME system-name if the target is a multisystem node. When the value of direction
is FROM, the communication failed before RRSF identified the
peer RRSF node and system name, or even determine if the peer is a
valid RRSF system. Therefore, system-identifier is expressed
as PEER followed by an IP address and a port number, separated
by a colon. If necessary, you can use the z/OS® UNIX host command
to map the IP address to a host name. For example, if the peer information
displayed is 1.2.3.4:1026, issue the following command:
System actionThe connection is rejected. RRSF places the connection into the OPERATIVE-PENDING-VERIFICATION state. System programmer responseAfter the condition is fixed, try the connection again with the TARGET OPERATIVE command for the failed node and system. Routing code2 and 9 Descriptor code4 RACF Security Administrator ResponseThis message usually signifies a setup error with AT-TLS policy or with the underlying key ring and digital certificates. See AT-TLS errors in z/OS Security Server RACF Diagnosis Guide for some things to check. If you are unable to determine the cause of the error, contact IBM service. Look for AT-TLS trace records on both the local and remote systems as these may contain helpful information for IBM service. |
Copyright IBM Corporation 1990, 2014
|