Not for humans but for search engines

MQRC_EPH_ERROR 2420 (0974) (RC2420)

  • You have specified a channel in MQCONNX and this is not in the CCDT, so if you have a channel called QMACLIENT, and use use “QM” or “QM*” both will give MQRC_HOST_NOT_AVAILABLE.
  • You had a network problem, for example the application gets MQRC_CONNECTION_BROKEN. If the next MQ verb the application issues is MQCONN or MQCONNX this will fail with MQRC_HOST_NOT_AVAILABLE. You need to issue MQDISC, or retry the MQCONN(X) a second time.
  • You specified a connection address like when it was expecting

MQRC_UNKNOWN_OBJECT_QMGR: 2086 (0826) (RC2086) with a client application

This can be caused when using a client connection and specifying a queue manager name of the format “*name” (for availability) . The application takes this queue manager name, and uses it in the MQOD.
If the first character of the Queue Manager Name is “*” then MQINQ should be used to retrieve the actual queue manager name, or do not use the “*name”.

MQRC_NOT_AUTHORIZED: 2035 (07F3) (RC2035) with MQCONNX

Trying to use MQCONNX to connect to a queue manger. The info from the Knowledge centre and the AMQ message say a blank userid or password was given. I also found the following can cause the same return code

  • mqcno.SecurityParmsPtr = 0;
  • csp.CSPPasswordLength = 0;
  • sp.CSPUserIdLength = 0;
  • csp.CSPPasswordPtr= 0;
  • csp.CSPUserIdPtr = 0;
  • csp.AuthenticationType != MQCSP_AUTH_USER_ID_AND_PWD;



  • Not using threaded application. My C program was built with -lmqic instead of -lmqic_r -lpthread
  • SHRCONV = 0 on the channel definitions

MQRC_Q_MGR_NAME_ERROR: 2058 (080A) (RC2058)

  • export MQCHLLIB not pointing to correct location
  • export MQCHLTAB pointing to the wrong name, or not set and AMQCLCHL.TAB not found in the location pointed to by MQCHLLIB
  • remember to update your .profile so this does not happen again
  • you are using a CCDT and passed in a QMNAME of XXXX, for all channels with QMNAME XXXX none could connect to the queue manager in the conname.
  • You think you were using a mqclient.ini file … but are now in a different directory
  • You are using the correct mqclient.ini file.  It has a ChannelDefinitionFile=… file.   This ccdt file is missing entries for the queue manager.  use the runmqsc command DIS CHL(*) where chltype(eq,svrconn) to display the valid channels on the server.
  • You tried to connect with the queue manager name, and need to connect to the QM group name.
  • You forgot the * in front of the queue manager name when using groups.


  • MQSSLKEYR not set to the keystore path and file name
  • you specified …/key.kdb instead of /key without the .kdb
  • remember to update your .profile so this does not happen again




Solved it using

  • or
  • mqcno.Options = MQCNO_CD_FOR_OUTPUT_ONLY
  • but not both

MQRC_CD_ERROR2277 (08E5) (RC2277)

I received message in the /var/mqm/error/*.LOG saying

AMQ9498E: The MQCD structure supplied was not valid.

EXPLANATION: The value of the ‘ChannelName’ field has the value ‘0’. This value is invalid for the operation requested.

This is only partially true. If you specify mqcno.Options=MQCNO_CD_FOR_OUTPUT_ONLY, this returns the name of the channel to you. In this case specifying a blank channel name is valid. If this options value is not specified, then a channel name is required.

AMQ9202E: Remote host not available, retry later.

The attempt to allocate a conversation using TCP/IP to host ” for channel
QMZZZ was not successful. However the error may be a transitory one and it may be possible to successfully allocate a TCP/IP conversation later.

This is not strictly accurate.

In my MQCONNX I specified a channel name of QMZZZ which did not exist in the Client Channel Definition Table (CCDT).

  • Check the channel name in ClientConn.ChannelName
  • Specify mqcno.Options = MQCNO_CD_FOR_OUTPUT_ONLY so it ignores what is in the channel, and picks one from the entries in the CCDT.

AMQ9498E: The MQCD structure supplied was not valid.

The value of the ‘ChannelName’ field has the value ‘0’. This value is invalid for the operation requested.
Change the parameter and retry the operation.

  • I got this when I specified a blank (not ‘0’ ) in the ChannelName field. If I specified mqcno.Options = MQCNO_CD_FOR_OUTPUT_ONLY I did not get this error message, as the specified channelname value is ignored. I fixed the problem by changing the MQCNO, not the MQCD


I got this when using PCF and got my lengths mixed up, for example StrucLength was longer than the structure.


I got this when I issued INQUIRE_Q and passed in a channel name


I also got back section MQIACF_ERROR_IDENTIFIER (1013) with a value of 2031619. I cant find what this means.
My problem was I had specified an optional section – but not a required one.


I got this when using MQCMD_INQUIRE_Q, and I had specified MQCACF_Q_NAMES instead of MQCACF_Q_NAME ( no ‘s’).

If you look at MQCMD_INQUIRE_Q  it lists the valid options, and MQCA_Q_NAME is listed – but not MQCA_Q_NAMES.


Oracle WebLogic

<BEA-320084> BEA-320084 The user principals=[] does not have authorization to view the logs.

I got this when using JMX to access the data.  The userid had not been set up to get this log data.  See here.

Specifically I got these trying to access webLogic Type=WLDFAccessRuntime JMX data.

com.bea:ServerRuntime=...,Name=Accessor, Type=WLDFAccessRuntime,WLDFRuntime=WLDFRuntime
com.bea:ServerRuntime=...,Name=DataSourceLog, Type=WLDFDataAccessRuntime,...
com.bea:ServerRuntime=...,Name=DomainLog, Type=WLDFDataAccessRuntime,...
com.bea:ServerRuntime=...,Name=HTTPAccessLog, Type=WLDFDataAccessRuntime,...
com.bea:ServerRuntime=...,Name=HTTPAccessLog, Type=WLDFDataAccessRuntime,...
com.bea:ServerRuntime=...,Name=ServerLog, Type=WLDFDataAccessRuntime,...

<BEA-240003> BEA-240003

<Administration Console encountered the following error: weblogic.application.ModuleException: The following exception occurred while processing annotations: No EJBs found in the ejb-jar file ..   I got this when redeploying an MDB, using Redeploy this application using the following deployment files…  If I used Update this application in place … it worked.


<BEA-149265>  BEA-149265 

Failure occurred in the execution of deployment request with …. Error is: “weblogic.application.ModuleException: java.lang.ClassCastException: cannot be cast to”

I got this when redeploying the MQ resource adapter in webLogic, and selecting Redeploy this application using the following deployment files:

When I used Update this application in place with new deployment plan changes. (A deployment plan must be specified for this option) it worked successfully.


Weblogic. Remember to update your deployment to reflect the new plan when you are finished with your changes.

You have changed a configuration, such as a Resource Adapter or MDB.  You have to restart the server, or redeploy the application to pick up changes.


Java jar command -C (No such file or directory)

jar cvfm abc.jar -C /home/colinpaice/xyz/  . -C (No such file or directory)

In the jar cvfm command, the m says use the manifest provided.  In this case -C was taken as the manifest – and so was not found.

jar cvfm abc.jar ./META-INF/MANIFEST.MF -C …



Error connecting to JMX endpoint: Failed to retrieve RMIServer stub: javax.naming.ServiceUnavailableException [Root exception is java.rmi.ConnectException: Connection refused to host:; nested exception is: Connection refused (Connection refused)]

The web server was not set up to listen on the specified port – or the web server was not active.


Using Java and MQ

Java HotSpot(TM) 64-Bit Server VM warning: You have loaded library /opt/mqm/java/lib/ which might have disabled stack guard.

Ensure  you have -Djava.library.path=/opt/mqm/java/lib64 not -Djava.library.path=/opt/mqm/java/lib



openssl Error unable to get local issuer certificate getting chain.

I was using commands like

openssl verify -CAFile ca.pem  -untrusted myca.pem server.pem and  openssl pkcs12 .. -CAFile…  and got

Error unable to get local issuer certificate getting chain.

When I issued openssl x509 -in casss.pem -text -noout.  I did not have keyUsage = keyCertSign,  digitalSignature
I added them in and it worked.


TLS handshake KeyUsage does not allow key agreement

I received KeyUsage does not allow key agreement at the client

  • Check the server’s certificate has Key Usage: keyAgreement
  • If the certificate does not match with the cipher spec. For example cipher spec TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 and the certificate from the server is Elliptic Curve.  Cipher spec TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 does work.


You use runmqsc to show there is a client channel with your name.   You need to issue the command DIS CHL(..) chltype(SVCRCONN).
Use DIS CHL(*) SVRCONN to identify a channel you can use.



  • Check the AMQERR01.LOG for messages
  • Check the cluster name is a valid cluster name – check it matches the channels being used


Hercules emulator

HHCDA014E …. CKD out of sequence

The file is a zPDT file which was decrypted.  The disk size is not as expected Number of tracks * size of tracks is not equal to the size of the file on disk.


CWPKI0024E: The certificate alias BPECC specified by the property is not found in KeyStore ://IZUSVR/KEY

The RACF command RACDCERT LISTRING(KEY ) ID(IZUSVR) <check the case>


Certificate Label Name Cert Owner USAGE DEFAULT
-------------------------------- ------------ -------- -------

So it is in the key store.

You need to check there is profile for the keyring, and as the requester needs access to the private key, has update access to it.

The userid issuing the command may not have access to the keyring. The private key was needed, so needs update access to the keyring.

RLIST rdatalib START1.KEY.LST authuser

Note: The SETROPTS RACLIST(DIGTCERT,DIGTRING ) refresh is not strictly needed but it is worth doing it incase there were updates to the certificates and the refresh command was not done.

CWWKO0801E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired. Exception is no cipher suites in common

This can be caused by

  • the requester not having access to the private key in the keyring.
  • no valid certificate in the ring.


IZUG476E: The HTTP request to the secondary z/OSMF instance “S0W1” failed with error type “HttpConnectionFailed” and response code “0”

I got this when trying to submit a job in the workflow topic.   You should get some ffdcs generated.

I had

  • WorkflowException: IZUWF9999E: The request cannot be completed because an error occurred.  The following error data is returned: “IZUG476E:The HTTP request to the secondary z/OSMF instance “S0W1” failed with error type “HttpConnectionFailed” and response code “0” .”

Ping and nslookup did not return any data.

I edited /etc/hosts/ S0W1.CANLAB.IBM.COM S0W1

and tso ping worked.

I had to restart z/OSMF for it to pick up the change.

Server reports Certificate errors – certificate_unknown

  • unable to find valid certification path to requested target
  • Rethrowing Received fatal alert: certificate_unknown
  • certificate_unknown

This was caused by the trust store at the client end did not have the CA certificate for the certificate sent from the server.  It may have had it, but it may have expired.

You may also get unable to find valid certification path to requested target because the trust store did not have the CA certificate, or the certificate was not valid – for example not trusted, or expired. PKIXCertPathBuilderImpl could not build a valid CertPath.

Check in the trace and ffdc.  I got errors

FFDC1015I: An FFDC Incident has been created: “ PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: The certificate issued by CN=TEMP4Certification Authorit2, OU=TEST, O=TEMP is not trusted; internal cause is: Certificate chaining error checkServerTrusted” 

CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN (the cerificate used by the server)  was sent from the target host. The signer might need to be added to local trust store safkeyring://my/TRUST, located in SSL configuration alias defaultSSLSettings.

The extended error message from the SSL handshake exception is: PKIX path building failed: PKIXCertPathBuilderImpl  could not build a valid CertPath.; internal cause is: The certificate issued
by (my ca)  is not trusted; internal cause is: Certificate chaining error

 IZUWF9999E: The request cannot be completed because an error occurred. The following error data is returned:  “ PKIXCertPathBuilderImpl could not build a valid CertPath.”

Action: Add the CA for the server’s certificate to the trust store.   I had to restart z/OSMF to pick it up

CWPKI0033E: The keystore located at safkeyringhybrid://START1/KEY did not load because of the following error: Invalid keystore format


location=”safkeyringhybrid://USERID/Keyring to location=”safkeyring://USERID/Keyring to


I had the wrong SAF_PREFIX(‘IZUDFLT‘) in USER.Z24A.PARMLIB(IZUPRMCP).   IZUDFLT was correct.

I had other problems like invalid password when I logged onto the web browser.

Fix the problem and regenerate.

IZUG807E  An error occurred while attempting to load a required program library. Error: “require is not defined”

With an FFDC saying SRVE0190E: File not found: /IzuUICommon/1_5/zosmf/util/ui/resources/common.css

Action: close the browser and restart it

RACF certificates

IRRD109I The certificate cannot be added. Profile…. is already defined.

Action use RACDCERT LIST ID(…) to list all the certificate belonging to a user. Search for the CN value Due to a mistake, a certificate had been created using the label LABEL00000006.

I then used RACDCERT ID(START1) DELETE(LABEL(‘LABEL00000006’)) to delete it

TLS trace Could not determine revocation status

This is displayed when a self signed certificate is processed. It could be a self signed certificate, or the top of the hierarchy of a chain of signers.

Java TLSv1.3 SSLContext not available

z/OS does not support TLS v1.3 yet, and this is thrown. It was announced in April 2020.

One thought on “Not for humans but for search engines

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s