z/OS Security Server RACF Messages and Codes
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


ICH444I

z/OS Security Server RACF Messages and Codes
SA23-2291-00

ICH444I
The program contains an incorrect certificate chain. Reason code X'rsncode'.

Explanation

When a program is signed during the bind process, the program object contains a digital signature and the digital certificate chain for the user who performed the program bind. This message indicates that the digital certificate chain is incorrect.

The reason code in this message indicates the reason for the failure. This reason code originates from the R_PgmSignVer callable service (IRRSPS00), which is called to verify the signature and certificate chain when the program is loaded. In ../com.ibm.zos.v2r1.ichd100/ich2d110.htm, there is a specific set of return and reason codes documented for function code X’0007’ (VERFINAL). The relevant reason codes are documented under SAF return code 8 and RACF® return code 16.
Note:
  1. The program name is identified in message ICH440I or ICH441I. One of these messages precedes this message.
  2. This message is only issued if the audit specifications, in the SIGVER segment of the PROGRAM profile, result in the specific condition being audited.
  3. There might also be diagnostic information in a LOGREC record.

System action

If message ICH441I precedes this message, the program load continues. If message ICH440I precedes this message, the load fails.

Routing code

9 and 11

Descriptor code

6

RACF Security Administrator Response

Inform the provider of the program with the information in this message. Either the program was not built correctly, or it was modified. A new copy of the module with the correct signature and certificate chain is required.

You can temporarily bypass this error in any of the following ways:
  • If the load fails, change the SIGVER segment of the RACF PROGRAM class profile that protects this program to specify FAILLOAD(NEVER). This change enables the program to continue.
  • Specify SIGAUDIT(NONE) or NOSIGAUDIT to stop this message being issued for this program again.
  • Remove the SIGVER segment from the PROGRAM class profile.
  • Delete the PROGRAM class profile if it is not being used to restrict or audit access to the program.
Note: The current security policy flagged this condition as an error. Bypassing the error prevents this message from being issued when the program is loaded, but reduces system security and does not resolve the problem. Once you resolve the problem, revisit your FAILLOAD and SIGAUDIT settings.
Parent topic: RACF processing messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014