I have three systems S0W1, S0W2 and S0W3. The first 2 of them connect using CKNSERVE. I cannot get the third (S0W3) to work. It will successfully self-connect however.
I suspect I have some silly error somewhere. I am getting this message,
CKN036I 12 Connect to S0W1 failed on socket 1 RC 1127 connection timed out, reason 769E 0291x TCP error, 
           contacting port 7173 of 192.168.11.100                                                        

The link works I am sure as I am using NJE over TCP/IP and AT/TLS.
I have removed firewalls and it makes no difference.

I cannot find out what those codes 769E 0291 mean. I think I should discard the first 2 digits and look up the 9E in the Unix Messages and codes manual. Sadly there is a 9D and a 9F.
Anyone have any ideas what I have dome wrong?
Lennie

Hi Lennie,
0291 is the hex errnojr, as documented here: https://www.ibm.com/docs/en/zos/3.1.0?topic=errnojrs-zos-unix-reason-codes
It means: 

JrTcpError

Tcp returned an error identified by the return code. 

Therefore the real error you need to investigate is the RC 1127 - ETIMEDOUT  Connection timed out.

This means that no responses to the outbound SYN packets to establish the TCP connection with 192.168.11.100..7173 were received.
This suggests to me that the SYN packets did not reach the destination IP address. An IP packet trace at both ends, filtered on PORTNUM=7173, would confirm this.

Regards,

I have three systems S0W1, S0W2 and S0W3. The first 2 of them connect using CKNSERVE. I cannot get the third (S0W3) to work. It will successfully self-connect however.
I suspect I have some silly error somewhere. I am getting this message,
CKN036I 12 Connect to S0W1 failed on socket 1 RC 1127 connection timed out, reason 769E 0291x TCP error, 
           contacting port 7173 of 192.168.11.100                                                        

The link works I am sure as I am using NJE over TCP/IP and AT/TLS.
I have removed firewalls and it makes no difference.

I cannot find out what those codes 769E 0291 mean. I think I should discard the first 2 digits and look up the 9E in the Unix Messages and codes manual. Sadly there is a 9D and a 9F.
Anyone have any ideas what I have dome wrong?
Lennie

Mike,

Thanks for the advice. After much testing and comparisons of values across the systems, I think I know what went wrong.
The system S0W3 is a new z/OS instance I have defined. It was cloned from S0W2 (which itself was cloned from S0W1). In order to get it to work I had to make multiple changes to various files in support of that naming. I am trying to get as much as possible in system variables.

Anyway, in order to get CKNSERVE to work I needed Client and Server certificates. However, on S0W3 they had an ALTNAME of S0W2. So I deleted those and defined them with S0W3, re-added to Keyrings and so on. 
It appears that this causes me to fall into this trap,
https://www.ibm.com/support/pages/ezd1287i-ttls-error-rc-5002-and-ich408i-digital-certificate-not-defined 
On S0W1 and S0W2 the cert serial number are the same. On S0W3 it is different.

That document is complicated. However, It appears that it offers several solutions, the simplest of which is to export the Server and Client certificates from the first system and then RACDCERT ADD then to the other systems. That seems the simplest solution, but it will only work if I can define those certs with multiple ALTNAME DOMAIN parameters, as the ALTNAME DOMAIN is matched against the ZSECSYS name in CKNODES.

I don't think RACDCERT GENCERT supports multiple alternate names, so that solution cannot work. Or have I missed something?

Lennie

------------------------------
Lennie Dymoke-Bradshaw
Director
Reverse Sweep Consulting Limited
07504304158

Original Message:
Sent: Thu April 24, 2025 03:31 AM
From: Mike Riches
Subject: CKNSERVE produces "CKN036I 12 Connect to S0W1 failed on socket 1 RC 1127 connection timed out"

Hi Lennie,
0291 is the hex errnojr, as documented here: https://www.ibm.com/docs/en/zos/3.1.0?topic=errnojrs-zos-unix-reason-codes
It means: 

JrTcpError

Tcp returned an error identified by the return code. 

Therefore the real error you need to investigate is the RC 1127 - ETIMEDOUT  Connection timed out.

This means that no responses to the outbound SYN packets to establish the TCP connection with 192.168.11.100..7173 were received.
This suggests to me that the SYN packets did not reach the destination IP address. An IP packet trace at both ends, filtered on PORTNUM=7173, would confirm this.

Regards,

------------------------------
Mike Riches

Original Message:
Sent: Wed April 23, 2025 11:35 AM
From: Lennie Dymoke-Bradshaw
Subject: CKNSERVE produces "CKN036I 12 Connect to S0W1 failed on socket 1 RC 1127 connection timed out"

I have three systems S0W1, S0W2 and S0W3. The first 2 of them connect using CKNSERVE. I cannot get the third (S0W3) to work. It will successfully self-connect however.
I suspect I have some silly error somewhere. I am getting this message,
CKN036I 12 Connect to S0W1 failed on socket 1 RC 1127 connection timed out, reason 769E 0291x TCP error, 
           contacting port 7173 of 192.168.11.100                                                        

The link works I am sure as I am using NJE over TCP/IP and AT/TLS.
I have removed firewalls and it makes no difference.

I cannot find out what those codes 769E 0291 mean. I think I should discard the first 2 digits and look up the 9E in the Unix Messages and codes manual. Sadly there is a 9D and a 9F.
Anyone have any ideas what I have dome wrong?
Lennie

------------------------------
Lennie Dymoke-Bradshaw
Director
Reverse Sweep Consulting Limited
07504304158
------------------------------

Mike,

Thanks for the advice. After much testing and comparisons of values across the systems, I think I know what went wrong.
The system S0W3 is a new z/OS instance I have defined. It was cloned from S0W2 (which itself was cloned from S0W1). In order to get it to work I had to make multiple changes to various files in support of that naming. I am trying to get as much as possible in system variables.

Anyway, in order to get CKNSERVE to work I needed Client and Server certificates. However, on S0W3 they had an ALTNAME of S0W2. So I deleted those and defined them with S0W3, re-added to Keyrings and so on. 
It appears that this causes me to fall into this trap,
https://www.ibm.com/support/pages/ezd1287i-ttls-error-rc-5002-and-ich408i-digital-certificate-not-defined 
On S0W1 and S0W2 the cert serial number are the same. On S0W3 it is different.

That document is complicated. However, It appears that it offers several solutions, the simplest of which is to export the Server and Client certificates from the first system and then RACDCERT ADD then to the other systems. That seems the simplest solution, but it will only work if I can define those certs with multiple ALTNAME DOMAIN parameters, as the ALTNAME DOMAIN is matched against the ZSECSYS name in CKNODES.

I don't think RACDCERT GENCERT supports multiple alternate names, so that solution cannot work. Or have I missed something?

Lennie

Hi Lennie,
0291 is the hex errnojr, as documented here: https://www.ibm.com/docs/en/zos/3.1.0?topic=errnojrs-zos-unix-reason-codes
It means: 

JrTcpError

Tcp returned an error identified by the return code. 

Therefore the real error you need to investigate is the RC 1127 - ETIMEDOUT  Connection timed out.

This means that no responses to the outbound SYN packets to establish the TCP connection with 192.168.11.100..7173 were received.
This suggests to me that the SYN packets did not reach the destination IP address. An IP packet trace at both ends, filtered on PORTNUM=7173, would confirm this.

Regards,

I have three systems S0W1, S0W2 and S0W3. The first 2 of them connect using CKNSERVE. I cannot get the third (S0W3) to work. It will successfully self-connect however.
I suspect I have some silly error somewhere. I am getting this message,
CKN036I 12 Connect to S0W1 failed on socket 1 RC 1127 connection timed out, reason 769E 0291x TCP error, 
           contacting port 7173 of 192.168.11.100                                                        

The link works I am sure as I am using NJE over TCP/IP and AT/TLS.
I have removed firewalls and it makes no difference.

I cannot find out what those codes 769E 0291 mean. I think I should discard the first 2 digits and look up the 9E in the Unix Messages and codes manual. Sadly there is a 9D and a 9F.
Anyone have any ideas what I have dome wrong?
Lennie

Hi Lennie,
With the one-to-one certificate to user ID association process the idea is that each system's client certificate exists in the server partner's RACF DB, to allow client authentication. In a shared RACF DB environment they will be there anyway.
This requirement can be avoided by using certificate name filtering (RACDCERT MAP) in place of importing the client certificate.

There is also a method to bypass the altname checking, using the CKNADMIN.CERTOKAY.<zsecsys-name> profile as mentioned here: https://www.ibm.com/docs/en/szs/3.1.0?topic=tls-setup-disable-server-security

Regards,

Mike,

Thanks for the advice. After much testing and comparisons of values across the systems, I think I know what went wrong.
The system S0W3 is a new z/OS instance I have defined. It was cloned from S0W2 (which itself was cloned from S0W1). In order to get it to work I had to make multiple changes to various files in support of that naming. I am trying to get as much as possible in system variables.

Anyway, in order to get CKNSERVE to work I needed Client and Server certificates. However, on S0W3 they had an ALTNAME of S0W2. So I deleted those and defined them with S0W3, re-added to Keyrings and so on. 
It appears that this causes me to fall into this trap,
https://www.ibm.com/support/pages/ezd1287i-ttls-error-rc-5002-and-ich408i-digital-certificate-not-defined 
On S0W1 and S0W2 the cert serial number are the same. On S0W3 it is different.

That document is complicated. However, It appears that it offers several solutions, the simplest of which is to export the Server and Client certificates from the first system and then RACDCERT ADD then to the other systems. That seems the simplest solution, but it will only work if I can define those certs with multiple ALTNAME DOMAIN parameters, as the ALTNAME DOMAIN is matched against the ZSECSYS name in CKNODES.

I don't think RACDCERT GENCERT supports multiple alternate names, so that solution cannot work. Or have I missed something?

Lennie

Hi Lennie,
0291 is the hex errnojr, as documented here: https://www.ibm.com/docs/en/zos/3.1.0?topic=errnojrs-zos-unix-reason-codes
It means: 

JrTcpError

Tcp returned an error identified by the return code. 

Therefore the real error you need to investigate is the RC 1127 - ETIMEDOUT  Connection timed out.

This means that no responses to the outbound SYN packets to establish the TCP connection with 192.168.11.100..7173 were received.
This suggests to me that the SYN packets did not reach the destination IP address. An IP packet trace at both ends, filtered on PORTNUM=7173, would confirm this.

Regards,

I have three systems S0W1, S0W2 and S0W3. The first 2 of them connect using CKNSERVE. I cannot get the third (S0W3) to work. It will successfully self-connect however.
I suspect I have some silly error somewhere. I am getting this message,
CKN036I 12 Connect to S0W1 failed on socket 1 RC 1127 connection timed out, reason 769E 0291x TCP error, 
           contacting port 7173 of 192.168.11.100                                                        

The link works I am sure as I am using NJE over TCP/IP and AT/TLS.
I have removed firewalls and it makes no difference.

I cannot find out what those codes 769E 0291 mean. I think I should discard the first 2 digits and look up the 9E in the Unix Messages and codes manual. Sadly there is a 9D and a 9F.
Anyone have any ideas what I have dome wrong?
Lennie