You can look up RC 428 in the System SSL return codes manual. https://www.ibm.com/support/knowledgecenter/SSLTBW_2.3.0/com.ibm.zos.v2r3.gska100/id428.htm
Return codes in the 5xxx range are from AT-TLS and in the Comms Server manuals. System SSL 428 means that the owner of the certificate does not have access to the private key. Make sure the keyring and certificate have the correct owner userid. Check the keyring has the expected certificate and the CA(s) that signed it. You may or may not need a client certificate. If you have configured the FTP server to authenticate by mapping the client certificate to a userid you do need the client certificate. This is mutual authentication. If you are not using the client certificate for user authentication it is not needed. Mike Wawiorko -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Roberto Halais Sent: 28 September 2020 15:21 To: [email protected] Subject: FTPS Handshake Error This message originated from outside our organisation and is from web based email - [email protected] Listers: I am a bit stumped with this syslog error message at the server side of an ftps connection: EZD1285I TTLS Data CONNID: 06D2A8A0 RECV CIPHER 160303008F EZD1285I TTLS Data CONNID: 06D2A8A0 RECV CIPHER 0100008B03035F71E9D266E9EBC723DE2DE3C4FC1E352E22A9E403C2CEADC2B74B5C158F8A600000 EZD1285I TTLS Data CONNID: 06D2A8A0 SEND CIPHER 15030300020250 EZD1284I TTLS Flow GRPID: 00000006 ENVID: 0000001D CONNID: 06D2A8A0 *RC: 428* Call GSK_SECURE_SOCKET_INIT - 0000005011424E50 EZD1283I TTLS Event GRPID: 00000006 ENVID: 0000001D CONNID: 06D2A8A0 *RC: 428* Initial Handshake 0000000000000000 0000005011421A1 We are doing a FTPS from one client lpar to a server lpar. We coded our policy agent rules and ftp client/server parameters. We created a CA certificate and a user certificate signed by the CA. The ftps stc owner is the same owner of the keyring. The lpars share the same Top Secret environment so both lpars see the same keyring. In the policy agent rules do we have to specify the certificate labels or will it just use the DEFAULT certificate specified in the keyring? We have debugged many errors but this one has proven a challenge for us. Any documentation or policy agent samples that you can lead me to will be appreciated. Thank you. Roberto ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments. Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons. Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group. Barclays Execution Services Limited provides support and administrative services across Barclays group. Barclays Execution Services Limited is an appointed representative of Barclays Bank UK plc, Barclays Bank plc and Clydesdale Financial Services Limited. Barclays Bank UK plc and Barclays Bank plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Clydesdale Financial Services Limited is authorised and regulated by the Financial Conduct Authority. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
