IBM Security Z Security

 View Only
Expand all | Collapse all

RACF keyring/certificate problems only with Java - is there a trace I can use?

  • 1.  RACF keyring/certificate problems only with Java - is there a trace I can use?

    Posted 28 days ago

    I have a keyring and certificates which work fine from AT-TLS etc.   If I try to use it with z/OSMF I get messages from Java.

    [ERROR   ] CWPKI0033E: The keystore located at safkeyringjcehybrid:///CCPKeyring.IZUDFLT did not load because of the following error: Errors encountered loading 
    keyring. Keyring could not be loaded as a JCECCARACFKS or  JCERACFKS keystore. 

    What traces can I use to find out?  I'm happy collecting RACF traces, and GSK Traces, but I didnt capture any information.

    Is there a Java trace I can use?

    It looks like only RSA certificates are supported.

    If I use

    RACDCERT ID(COLIN) GENCERT - 
      SUBJECTSDN(CN('10.1.1.2') - 
                 O('NISTEC224') - 
                 OU('SSS')) - 
       ALTNAME(IP(10.1.1.2))- 
       NISTECC - 
       SIZE(224 ) - 
       SIGNWITH (CERTAUTH LABEL('DOCZOSCA')) - 
       WITHLABEL('NISTEC224')      

    Java fails .. If I use a certificate with RSA instead of NISTECC it works.



    ------------------------------
    Colin Paice
    Retired
    Stromness
    ------------------------------


  • 2.  RE: RACF keyring/certificate problems only with Java - is there a trace I can use?

    Posted 28 days ago

    I found the solution, and blogged about it.   Ive also raised a few doc comments



    ------------------------------
    Colin Paice
    Retired
    Stromness
    ------------------------------