z/OS Security Server RACF Messages and Codes
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


IRRI031I

z/OS Security Server RACF Messages and Codes
SA23-2291-00

IRRI031I
RRSF CONNECTION {TO | FROM} system-identifier HAS BEEN REJECTED BECAUSE RACF COULD NOT VERIFY AT-TLS POLICY. THE service-name SERVICE DETECTED A SOCKET EXCEPTION.

Explanation

RACF® remote sharing requires its connections to be covered by an AT-TLS rule. It is AT-TLS that provides the authentication of RRSF nodes to one another, and encryption of traffic across the network. RRSF uses the select() service (BPX1SEL) to force the underlying TLS handshake to occur so that the AT-TLS policy for this connection can be verified. The select() returned with a socket exception.

There might be a setup error with AT-TLS policy or with the underlying key ring and digital certificates. See the AT-TLS errors section in z/OS Security Server RACF Diagnosis Guide for more information about what you can check. If you cannot determine the cause of the error, contact IBM® service. You might find helpful information for IBM service in the AT-TLS trace records on both the local and remote systems.

The value for direction can be TO, when the message is issued by the system that initiated the connection, or FROM, when the message is issued by the system that received the connection request.

When the value of direction is TO, system-identifier is expressed as NODE node-name, followed by SYSNAME system-name if the target is a multisystem node.

When the value of direction is FROM, the communication failed before RRSF identified the peer RRSF node and system name, or even determine if the peer is a valid RRSF system. Therefore, system-identifier is expressed as PEER followed by an IP address and a port number, separated by a colon. If necessary, you can use the z/OS® UNIX host command to map the IP address to a host name. For example, if the peer information displayed is 1.2.3.4:1026, issue the following command:
$ host 1.2.3.4                                     
EZZ8321I zossys1.xyz.com 1.2.3.4

System action

The connection is rejected. RRSF places the connection into the OPERATIVE-PENDING-VERIFICATION state.

System programmer response

After the condition is fixed, try the connection again with the TARGET OPERATIVE command for the failed node and system.

Routing code

2 and 9

Descriptor code

4

RACF Security Administrator Response

This message usually signifies a setup error with AT-TLS policy or with the underlying key ring and digital certificates. See AT-TLS errors in z/OS Security Server RACF Diagnosis Guide for some things to check. If you are unable to determine the cause of the error, contact IBM service. Look for AT-TLS trace records on both the local and remote systems as these may contain helpful information for IBM service.

Parent topic: RRSF handshaking messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014