ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaiw_5.4.0.1/rzaiwsslre.htm

229 lines
13 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="reference" />
<meta name="DC.Title" content="SSL return codes" />
<meta name="abstract" content="This topic lists the system SSL return codes for the most common problems that can occur during SSL initialization or SSL handshake." />
<meta name="description" content="This topic lists the system SSL return codes for the most common problems that can occur during SSL initialization or SSL handshake." />
<meta name="DC.Relation" scheme="URI" content="rzaiwtroubles.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahurzahu401usingdcm.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahumngsyscertapp.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahurzahu437completenewstore.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahurzahu461installcacert.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahurzahu4anactingownca.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahurzahu444worksecureapps.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaiwchksys.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzaiwsslre" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>SSL return codes</title>
</head>
<body id="rzaiwsslre"><a name="rzaiwsslre"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">SSL return codes</h1>
<div><p>This topic lists the system SSL return codes for the most common
problems that can occur during SSL initialization or SSL handshake.</p>
<div class="section"><p><strong>Before using the following return code table,</strong></p>
<ul><li>You need to find the SSL return code in the QTVTELNET job log.</li>
<li>In some cases, you will need to Work with the Digital Certificate Manager
configuration to correct problems with Certificate Authority (CA) certificates
or system certificates.</li>
<li>When you copy the CA certificate information for your Telnet SSL client,
remember to include the lines containing the words BEGIN CERTIFICATE and END
CERTIFICATE.</li>
</ul>
<p><strong>Common return codes</strong></p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 1. Common return codes</caption><thead align="left"><tr><th valign="top" width="20%" id="d0e37">Return code</th>
<th valign="top" width="80%" id="d0e39">Description</th>
</tr>
</thead>
<tbody><tr><td valign="top" width="20%" headers="d0e37 ">-2</td>
<td valign="top" width="80%" headers="d0e39 "><span class="uicontrol">No system certificate is available for SSL processing</span>.
The Telnet server successfully initializes SSL, but the SSL handshake fails.
There is no signon panel in the SSL Telnet client window. The QIBM_QTV_TELNET_SERVER
application does not have an assigned system certificate. <p>View the system
certificate and check that the value <samp class="codeph">Yes</samp> shows in the Certificate
assigned column. If the value is <samp class="codeph">No</samp>, create a system certificate
for the QIBM_QTV_TELNET_SERVER application.</p>
</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e37 ">-4</td>
<td valign="top" width="80%" headers="d0e39 "><span class="uicontrol">The CA certificate or system certificate is bad</span>.
The system certificate is not private or trusted. The Private Key and Trusted
fields on the server certificate are not correct. The Telnet SSL client window
has no signon panel. <p>Add Certificate Authority (CA) information in your
Telnet SSL client. If you are using iSeries™ Access for Windows<sup>®</sup> as
your Telnet SSL client, see Manage public Internet certificates for SSL communication
sessions. Otherwise, see Obtain a copy of the private CA certificate for instructions.</p>
</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e37 ">-16</td>
<td valign="top" width="80%" headers="d0e39 "><span class="uicontrol">The peer system is not recognized</span>. This problem
is the most common problem when a Telnet SSL client first attempts to establish
an SSL session. The Telnet SSL client window has no sign-on panel. <p>Add
Certificate Authority (CA) certificate information to your Telnet SSL client.</p>
</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e37 ">-18</td>
<td valign="top" width="80%" headers="d0e39 "><span class="uicontrol">The system certificate is self-signed and server is using
it as a CA certificate</span>. The system certificate assigned to the
QIBM_QTV_TELNET_SERVER application must be trusted, signed by a certificate
authority, and used within the valid time period. You need to create a CA
certificate and associate it with the system certificate. The Telnet server
does not initialize SSL if the system certificate is incorrect. <p>Create
a CA certificate and associate it with the system certificate.</p>
</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e37 ">-23</td>
<td valign="top" width="80%" headers="d0e39 "><span class="uicontrol">The system certificate is not signed by a trusted certificate
authority</span>. The system certificate assigned to the QIBM_QTV_TELNET_SERVER
application must be trusted, signed by a certificate authority, and used within
the valid time period. <p>Change the CA certificate to Trusted. For instructions,
see Manage applications in DCM.</p>
</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e37 ">-24</td>
<td valign="top" width="80%" headers="d0e39 "><span class="uicontrol">The valid time period of the CA certificate has expired</span>.
You are using an out-of-date certificate. The Telnet SSL client window has
no signon panel. <p>Renew the CA certificate that was used to build the system
certificate.</p>
</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e37 ">-93</td>
<td valign="top" width="80%" headers="d0e39 "><span class="uicontrol">SSL is not available for use</span>. Telnet SSL clients
cannot connect to a host because there is no active SSL listener. <p>Install
software requirements to support Telnet SSL and to manage certificates. For
instructions, see Check system status.</p>
</td>
</tr>
</tbody>
</table>
</div>
<p><strong>Other SSL return codes</strong></p>
<p>For the SSL return codes in
the following table, use the Digital Certificate Manager to verify that the
digital certificates meet these requirements:</p>
<ul><li>The CA certificate is valid and has not expired.</li>
<li>The Telnet server application QIBM_QTV_TELNET_SERVER has a value of Yes
in the Certificate Assigned column.</li>
<li>A certificate authority signs the system certificate.</li>
<li>The system certificate is trusted.</li>
<li>The system certificate is used within the timeframe stated on the certificate.</li>
</ul>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 2. Other SSL return codes</caption><thead align="left"><tr><th valign="top" width="20%" id="d0e141">Return code</th>
<th valign="top" width="80%" id="d0e143">Description</th>
</tr>
</thead>
<tbody><tr><td valign="top" width="20%" headers="d0e141 ">-1</td>
<td valign="top" width="80%" headers="d0e143 ">No ciphers are available or specified</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e141 ">-6</td>
<td valign="top" width="80%" headers="d0e143 ">i5/OS<sup>®</sup> does
not support the certificate type</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e141 ">-10</td>
<td valign="top" width="80%" headers="d0e143 ">An error occurred in SSL processing. In the job log, check the CPE<var class="varname">xxxx</var> message
where <var class="varname">xxxx</var> is the sockets error value.</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e141 ">-11</td>
<td valign="top" width="80%" headers="d0e143 ">SSL received a badly formatted message</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e141 ">-12</td>
<td valign="top" width="80%" headers="d0e143 ">A bad message authentication code was received</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e141 ">-13</td>
<td valign="top" width="80%" headers="d0e143 ">Operation is not supported by SSL</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e141 ">-14</td>
<td valign="top" width="80%" headers="d0e143 ">The certificate signature is not valid</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e141 ">-15</td>
<td valign="top" width="80%" headers="d0e143 ">The certificate is bad</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e141 ">-17</td>
<td valign="top" width="80%" headers="d0e143 ">Permission was denied to access object</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e141 ">-20</td>
<td valign="top" width="80%" headers="d0e143 ">Unable to allocate storage required for SSL processing</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e141 ">-21</td>
<td valign="top" width="80%" headers="d0e143 ">SSL detected a bad state in the SSL session</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e141 ">-22</td>
<td valign="top" width="80%" headers="d0e143 ">The socket used by the SSL connection has been closed</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e141 ">-25</td>
<td valign="top" width="80%" headers="d0e143 ">The date in the certificate is in a bad format</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e141 ">-26</td>
<td valign="top" width="80%" headers="d0e143 ">The key length is bad for export</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e141 ">-90</td>
<td valign="top" width="80%" headers="d0e143 ">Not a key ring file</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e141 ">-91</td>
<td valign="top" width="80%" headers="d0e143 ">The password in the key database has expired</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e141 ">-92</td>
<td valign="top" width="80%" headers="d0e143 ">Certificate is not valid or was rejected by the exit program</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e141 ">-94</td>
<td valign="top" width="80%" headers="d0e143 ">SSL_Init() was not previously invoked for the job</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e141 ">-95</td>
<td valign="top" width="80%" headers="d0e143 ">There is no key ring for SSL initialization</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e141 ">-96</td>
<td valign="top" width="80%" headers="d0e143 ">SSL is not enabled</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e141 ">-97</td>
<td valign="top" width="80%" headers="d0e143 ">The specified cipher suite is not valid</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e141 ">-98</td>
<td valign="top" width="80%" headers="d0e143 ">The SSL session ended</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e141 ">-99</td>
<td valign="top" width="80%" headers="d0e143 ">An unknown or unexpected error occurred during SSL processing</td>
</tr>
<tr><td valign="top" width="20%" headers="d0e141 ">-1010</td>
<td valign="top" width="80%" headers="d0e143 ">Double encryption is not allowed when using AC2 and IP-SEC</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaiwtroubles.htm" title="This topic gives you detailed information about troubleshooting your SSL server including system SSL return codes and a list of common SSL problems.">Troubleshoot your Telnet SSL server</a></div>
</div>
<div class="reltasks"><strong>Related tasks</strong><br />
<div><a href="../rzahu/rzahurzahu401usingdcm.htm">Work with the Digital Certificate Manager configuration</a></div>
<div><a href="../rzahu/rzahumngsyscertapp.htm">Manage the certificate assignment for an application</a></div>
<div><a href="../rzahu/rzahurzahu437completenewstore.htm">Manage public Internet certificates for SSL communication sessions</a></div>
<div><a href="../rzahu/rzahurzahu4anactingownca.htm">Create and operate a Local Certificate Authority</a></div>
<div><a href="../rzahu/rzahurzahu444worksecureapps.htm">Manage applications in DCM</a></div>
<div><a href="rzaiwchksys.htm" title="This topic lists the steps necessary to learn steps to follow to check system status.">Check system status</a></div>
</div>
<div class="relref"><strong>Related reference</strong><br />
<div><a href="../rzahu/rzahurzahu461installcacert.htm">Obtain a copy of the private CA certificate</a></div>
</div>
</div>
</body>
</html>