MQRC_EPH_ERROR 2420 (0974) (RC2420)
- You have specified a channel in MQCONNX and this is not in the CCDT, so if you have a channel called QMACLIENT, and use use “QM” or “QM*” both will give MQRC_HOST_NOT_AVAILABLE.
- You had a network problem, for example the application gets MQRC_CONNECTION_BROKEN. If the next MQ verb the application issues is MQCONN or MQCONNX this will fail with MQRC_HOST_NOT_AVAILABLE. You need to issue MQDISC, or retry the MQCONN(X) a second time.
- You specified a connection address like 127.0.0.1:1414 when it was expecting 127.0.0.1(1414).
MQRC_UNKNOWN_OBJECT_QMGR: 2086 (0826) (RC2086) with a client application
This can be caused when using a client connection and specifying a queue manager name of the format “*name” (for availability) . The application takes this queue manager name, and uses it in the MQOD.
If the first character of the Queue Manager Name is “*” then MQINQ should be used to retrieve the actual queue manager name, or do not use the “*name”.
MQRC_NOT_AUTHORIZED: 2035 (07F3) (RC2035) with MQCONNX
Trying to use MQCONNX to connect to a queue manger. The info from the Knowledge centre and the AMQ message say a blank userid or password was given. I also found the following can cause the same return code
- mqcno.SecurityParmsPtr = 0;
- csp.CSPPasswordLength = 0;
- sp.CSPUserIdLength = 0;
- csp.CSPPasswordPtr= 0;
- csp.CSPUserIdPtr = 0;
- csp.AuthenticationType != MQCSP_AUTH_USER_ID_AND_PWD;
MQRC_ENVIRONMENT_ERROR: 2012 (07DC) (RC2012) with MQCONNX
Trying to use MQCONNX with MQCNO_RECONNECT_Q_MGR or MQCNO_RECONNECT;
- Not using threaded application. My C program was built with -lmqic instead of -lmqic_r -lpthread
- SHRCONV = 0 on the channel definitions
MQRC_Q_MGR_NAME_ERROR: 2058 (080A) (RC2058)
- export MQCHLLIB not pointing to correct location
- export MQCHLTAB pointing to the wrong name, or not set and AMQCLCHL.TAB not found in the location pointed to by MQCHLLIB
- remember to update your .profile so this does not happen again
- you are using a CCDT and passed in a QMNAME of XXXX, for all channels with QMNAME XXXX none could connect to the queue manager in the conname.
- You think you were using a mqclient.ini file … but are now in a different directory
- You are using the correct mqclient.ini file. It has a ChannelDefinitionFile=… file. This ccdt file is missing entries for the queue manager. use the runmqsc command DIS CHL(*) where chltype(eq,svrconn) to display the valid channels on the server.
- You tried to connect with the queue manager name, and need to connect to the QM group name.
- You forgot the * in front of the queue manager name when using groups.
MQRC_KEY_REPOSITORY_ERROR: 2381 (094D) (RC2381)
- MQSSLKEYR not set to the keystore path and file name
- you specified …/key.kdb instead of /key without the .kdb
- remember to update your .profile so this does not happen again
MQRC_OPTIONS_ERROR:2046 (07FE) (RC2046)
During MQCONNX: mqcno.Options = MQCNO_CD_FOR_OUTPUT_ONLY + MQCNO_USE_CD_SELECTION;
Solved it using
- mqcno.Options = MQCNO_CD_FOR_OUTPUT_ONLY + MQCNO_USE_CD_SELECTION
- or
- mqcno.Options = MQCNO_CD_FOR_OUTPUT_ONLY
- but not both
MQRC_CD_ERROR2277 (08E5) (RC2277)
I received message in the /var/mqm/error/*.LOG saying
AMQ9498E: The MQCD structure supplied was not valid.
EXPLANATION: The value of the ‘ChannelName’ field has the value ‘0’. This value is invalid for the operation requested.
This is only partially true. If you specify mqcno.Options=MQCNO_CD_FOR_OUTPUT_ONLY, this returns the name of the channel to you. In this case specifying a blank channel name is valid. If this options value is not specified, then a channel name is required.
AMQ9202E: Remote host not available, retry later.
EXPLANATION:
The attempt to allocate a conversation using TCP/IP to host ” for channel
QMZZZ was not successful. However the error may be a transitory one and it may be possible to successfully allocate a TCP/IP conversation later.
This is not strictly accurate.
In my MQCONNX I specified a channel name of QMZZZ which did not exist in the Client Channel Definition Table (CCDT).
- Check the channel name in ClientConn.ChannelName
- Specify mqcno.Options = MQCNO_CD_FOR_OUTPUT_ONLY so it ignores what is in the channel, and picks one from the entries in the CCDT.
AMQ9498E: The MQCD structure supplied was not valid.
EXPLANATION:
The value of the ‘ChannelName’ field has the value ‘0’. This value is invalid for the operation requested.
ACTION:
Change the parameter and retry the operation.
- I got this when I specified a blank (not ‘0’ ) in the ChannelName field. If I specified mqcno.Options = MQCNO_CD_FOR_OUTPUT_ONLY I did not get this error message, as the specified channelname value is ignored. I fixed the problem by changing the MQCNO, not the MQCD
PCF: MQRCCF_MSG_LENGTH_ERROR: 3016 (0BC8) (RC3016)
I got this when using PCF and got my lengths mixed up, for example StrucLength was longer than the structure.
PCF: MQRCCF_CFST_PARM_ID_ERROR: 3015 (0BC7) (RC3015)
I got this when I issued INQUIRE_Q and passed in a channel name PCF:MQRC_UNEXPECTED_ERROR 2195 (0893) RC2195
I also got back section MQIACF_ERROR_IDENTIFIER (1013) with a value of 2031619. I cant find what this means.
My problem was I had specified an optional section – but not a required one.
PCF:MQRCCF_CFST_PARM_ID_ERROR 3015 (0BC7) RC3015
I got this when using MQCMD_INQUIRE_Q, and I had specified MQCACF_Q_NAMES instead of MQCACF_Q_NAME ( no ‘s’).
MQWEB on z/OS
SRVE0279E: Error occured while processing global listeners for the application com.ibm.mq.rest:
java.lang.NoClassDefFoundError: com.ibm.mq.mft.rest.v1.resource.MFTCommonResource (initialization failure)
SRVE0279E: Error occured while processing global listeners for the application com.ibm.mq.console: java.lang.NoClassDefFoundError: com.ibm.mq.ui.api.ras.RasDescriptor (initialization failure)
SRVE0321E: The [SecurityFilter] filter did not load during start up.
SRVE0321E: The [JSONFilter] filter did not load during start up.
SRVE0321E : The [MQConsoleSecurityFilter] filter did not load during start up.
I got this because the MQ JMS libraries had not been installed. I had /colin3/mq923/web, but was missing/colin3/mq923/java .
Liberty
The RACF command RACDCERT LISTRING(KEY ) ID(IZUSVR) <check the case>
gives
Certificate Label Name Cert Owner USAGE DEFAULT
-------------------------------- ------------ -------- -------
BPECC ID(START1) PERSONAL YES
So it is in the key store.
You need to check there is profile for the keyring, and as the requester needs access to the private key, has update access to it.
The userid issuing the command may not have access to the keyring. The private key was needed, so needs update access to the keyring.
RLIST rdatalib START1.KEY.LST authuser
RDEFINE RDATALIB IZUSVR.KEY.LST UACC(NONE)
PERMIT IZUSVR.KEY.LST CLASS(RDATALIB) ID(IZUSVR) ACCESS(UPDATE)
SETROPTS RACLIST(RDATALIB) REFRESH
SETROPTS RACLIST(DIGTCERT,DIGTRING ) refresh
Note: The SETROPTS RACLIST(DIGTCERT,DIGTRING ) refresh is not strictly needed but it is worth doing it in case there were updates to the certificates and the refresh command was not done.
Other options
- The certificate was not in the keyring
- It was NOTRUST
- It had expired
- The CA for the certificate was not in the keyring,
- The userid did not have update access to the keyring when there are private certificates from other userids. See here
CWWKO0801E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired. Exception is javax.net.ssl.SSLHandshakeException: no cipher suites in common
This can be caused by
- the requester not having access to the private key in the keyring.
- no valid certificate in the ring.
CWWKB0117W: The IZUANG1 angel process is not available. No authorized
services will be loaded. The reason code is 4,104.
CWWKB0115I: This server is not authorized to load module bbgzsafm.
No authorized services will be loaded.
You need to define profiles and give the userid access to them
RDEF SERVER BBG.ANGEL UACC(NONE)
RDEF SERVER BBG.ANGEL.ANGEL UACC(NONE)
RDEF SERVER BBG.AUTHMOD.BBGZSAFM UACC(NONE)
RDEF SERVER BBG.AUTHMOD.BBGZSCFM UACC(NONE)
RDEF SERVER BBG.AUTHMOD.BBGZSAFM.ZOSWLM UACC(NONE)
RDEF SERVER BBG.AUTHMOD.BBGZSAFM.TXRRS UACC(NONE)
RDEF SERVER BBG.AUTHMOD.BBGZSAFM.PRODMGR UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM.SAFCRED CLASS(SERVER) -
ID(START1) ACCESS(READ)
PERMIT BBG.AUTHMOD.BBGZSAFM CLASS(SERVER) -
ID(START1) ACCESS(READ)
PERMIT BBG.AUTHMOD.BBGZSAFM.LOCALCOM CLASS(SERVER) -
ID(START1) ACCESS(READ)
PERMIT BBG.AUTHMOD.BBGZSAFM.PRODMGR CLASS(SERVER) -
ID(START1) ACCESS(READ)
PERMIT BBG.AUTHMOD.BBGZSAFM.SAFCRED CLASS(SERVER) -
ID(START1) ACCESS(READ)
PERMIT BBG.AUTHMOD.BBGZSAFM.TXRRRS CLASS(SERVER) -
ID(START1) ACCESS(READ)
PERMIT BBG.AUTHMOD.BBGZSAFM.TXRRS CLASS(SERVER) -
ID(START1) ACCESS(READ)
PERMIT BBG.AUTHMOD.BBGZSAFM.WOLA CLASS(SERVER) -
ID(START1) ACCESS(READ)
PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSAIO CLASS(SERVER) -
ID(START1) ACCESS(READ)
PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSDUMP CLASS(SERVER) -
ID(START1) ACCESS(READ)
PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSWLM CLASS(SERVER) -
ID(START1) ACCESS(READ)
PERMIT BBG.AUTHMOD.BBGZSCFM CLASS(SERVER) -
ID(START1) ACCESS(READ)
PERMIT BBG.AUTHMOD.BBGZSCFM.WOLA CLASS(SERVER) -
ID(START1) ACCESS(READ)
SETROPTS RACLIST(SERVER) REFRESH
Z/OSMF
ERROR ] CWPKI0022E: SSL HANDSHAKE FAILURE: … PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target.
With message
The signer might need to be added to local trust store … , located in SSL configuration alias izuSSLConfig. The extended error message from the SSL handshake exception is: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target.
Action: A client has sent a certificate and Liberty is trying to validate it
- The certificate from the client is self signed and not in the keyring (or trust keyring if this is used)
- The CA or intermeditate CAs are not in the keyring
- The CA’s are in the keyring, but not trusted
- There are CAs with the same name, but not the same content in the keyring. Check dates and other attributes
It may be that the Server’s certificate is being used to validate, so check the certificate being used by z/OSMF or Liberty.
Firefox is getting Error code: SEC_ERROR_UNKNOWN_ISSUER
Check your certificates. You need the CA and any intermediate CAs in the “Authorities” section of certificates. They may need to be trusted.
They are not automatically imported when you import a certificate.
IZUG476E: The HTTP request to the secondary z/OSMF instance “S0W1” failed with error type “HttpConnectionFailed” and response code “0”
I got this when trying to submit a job in the workflow topic. You should get some ffdcs generated.
I had
- java.net.UnknownHostException: s0w1.dal-ebis.ihost.com
- WorkflowException: IZUWF9999E: The request cannot be completed because an error occurred. The following error data is returned: “IZUG476E:The HTTP request to the secondary z/OSMF instance “S0W1” failed with error type “HttpConnectionFailed” and response code “0” .”
Ping s0w1.dal-ebis.ihost.com and nslookup s0w1.dal-ebis.ihost.com did not return any data.
I edited /etc/hosts/
10.1.1.2 S0W1.CANLAB.IBM.COM S0W1
10.1.1.2 s0w1.dal-ebis.ihost.com
and tso ping s0w1.dal-ebis.ihost.com worked.
I had to restart z/OSMF for it to pick up the change.
Server reports Certificate errors – certificate_unknown
- unable to find valid certification path to requested target
- Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
- certificate_unknown
This was caused by the trust store at the client end did not have the CA certificate for the certificate sent from the server. It may have had it, but it may have expired.
You may also get sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target because the trust store did not have the CA certificate, or the certificate was not valid – for example not trusted, or expired.
java.security.cert.CertificateException: PKIXCertPathBuilderImpl could not build a valid CertPath.
Check in the trace and ffdc. I got errors
FFDC1015I: An FFDC Incident has been created: “java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=TEMP4Certification Authorit2, OU=TEST, O=TEMP is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error
com.ibm.ws.ssl.core.WSX509TrustManager checkServerTrusted”
CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN (the cerificate used by the server) was sent from the target host. The signer might need to be added to local trust store safkeyring://my/TRUST, located in SSL configuration alias defaultSSLSettings.
The extended error message from the SSL handshake exception is: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued
by (my ca) is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error
IZUWF9999E: The request cannot be completed because an error occurred. The following error data is returned: “java.security.cert.CertificateException: PKIXCertPathBuilderImpl could not build a valid CertPath.”
Action: Add the CA for the server’s certificate to the trust store. I had to restart z/OSMF to pick it up
Change
location=”safkeyringhybrid://USERID/Keyring to location=”safkeyring://USERID/Keyring to
BPXF024I
You get this message if the syslogd program is not running.
BPXP015I HFS PROGRAM /usr/lpp/zosmf/lib/libIzuCommandJni.so IS NOT MARKED PROGRAM CONTROLLED. BPXP014I ENVIRONMENT MUST BE CONTROLLED FOR DAEMON (BPX.DAEMON) PROCESSING.
Use the command extattr /usr/lpp/zosmf/lib/libIzuCommandJni.so to check the Program Controlled attribute is set. Use the extattr +p…. to set it if required.
I had the wrong SAF_PREFIX(‘IZUDFLT‘) in USER.Z24A.PARMLIB(IZUPRMCP). IZUDFLT was correct.
I had other problems like invalid password when I logged onto the web browser.
Fix the problem and regenerate.
IZUG807E An error occurred while attempting to load a required program library. Error: “require is not defined”
With an FFDC saying SRVE0190E: File not found: /IzuUICommon/1_5/zosmf/util/ui/resources/common.css
Action: close the browser and restart it
BPXO042I with D OMVS,PFS
I was expecing D OMVS,PFS or D OMVS,P to give me BPXO068I and a list of Physical File Systems.
it gives BPXO042I when the command failed.
This was due to having an HFS definition in my z/OS 3.1 system. HFS is not supported on 3.1 . I removed the definition and it worked.
RACF certificates
IRRSDL00 R_datalib RC 8 RS 44 (0x2c)
I got this when the job userid did not have update access to the keyring for accessing private certificate information. Eg RDATALIB profile START1.CCPKeyring.IZUDFLT.LST, and z/OSMF userid IZUSVR. The profile may not exist.
IRRD103I An error was encountered processing the specified input data set.
I got this when using RACDCERT CHECKCERT(‘COLIN.CARSA.PEM’).
The error was caused by having the file open read write. If I exited from the file, the command worked.
IRRD104I The input data set does not contain a valid certificate.
The certificate did not have a subject DN in it.
EZD1287I TTLS Error RC: 435 Initial Handshake
435 Certification authority is unknown.
I got this having replaced the CA certificate. Deleting a certificate removes it from any keyring. When you recreate the CA, you need to add it to every keyring it was in. Before deleting a certificate it is worth listing it to see where it is used. I added it to my keyring and it worked!
IRRD109I The certificate cannot be added. Profile…. is already defined.
Action use RACDCERT LIST ID(…) to list all the certificate belonging to a user. Search for the CN value Due to a mistake, a certificate had been created using the label LABEL00000006.
I then used RACDCERT ID(START1) DELETE(LABEL(‘LABEL00000006’)) to delete it
IRRD140I The filter value does not begin with a valid prefix.
Ensure you are using upper case sod
IDNFILTER(‘CN=SSCA256.OU=CA.O=DOC.C=GB’)
instead of
IDNFILTER(‘cn=SSCA256.ou=CA.o=DOC.c=GB’)
TLS trace
java.security.cert.CertPathValidatorException: Could not determine revocation status
This is displayed when a self signed certificate is processed. It could be a self signed certificate, or the top of the hierarchy of a chain of signers.
Java java.security.NoSuchAlgorithmException: TLSv1.3 SSLContext not available
z/OS does not support TLS v1.3 yet, and this is thrown. It was announced in April 2020.
CWWKS4000E: A configuration exception has occurred. The
requested TokenService instance of type Ltpa2 could not be
found.
I found I could no longer authenticate to z/OSMF and there were CWWKS4000E messages in the z/OSMF logs. In my /global/zosmf/data/logs/zosmfServer/logs/message…. I had near the top of the file
CWWKS4106E: LTPA configuration error. Unable to create or read LTPA key file:
/global/zosmf/configuration/servers/zosmfServer/resources/security/ltpa.keys
I renamed /global/zosmf/configuration/servers/zosmfServer/resources/securityldpa.keys to keys.saved, and restarted z/OSMF.
On restart it recreated the file, and I could logon successfully.
CWWKS1100A: Authentication did not succeed for user ID COLIN. An invalid user ID or password was specified.
Also check the stderr log
[ERROR ] CWWKS2907E: SAF Service IRRSIA00_CREATE did not succeed because user COLIN has insufficient authority to access APPL-ID IZUDFLT.
SAF return code 0x00000008. RACF return code 0x00000008. RACF reason code 0x00000020.
CONNECT user_id GROUP(group_id)
or
Permit IZUDFLT class(APPL) id(userid) Access(read)
setropts raclist(Appl) refresh
IKJ56251I USER NOT AUTHORIZED FOR SUBMIT YOUR TSO ADMINISTRATOR MUST AUTHORIZE USE OF THIS COMMAND
You need to give the userid access to the TSOAUTH resource
//TSO3 EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
PERMIT CONSOLE CLASS(TSOAUTH) ID(COLIN) ACCESS(READ)
PERMIT JCL CLASS(TSOAUTH) ID(COLIN) ACCESS(READ)
PERMIT PARMLIB CLASS(TSOAUTH) ID(COLIN) ACCESS(READ)
SETROPTS RACLIST(TSOAUTH)
I’ve been told the following is no longer needed (but used to be needed)
PERMIT SUBMIT CLASS(TSOAUTH) ID(COLIN) ACCESS(READ)
IKJ56702I INVALID GROUP, PKIGRP3
I got this with
DELGROUP PKIGRP3
The message is totally wrong.
I could not delete the group because it had users connected to it. When I removed the userids it worked OK.
ICSF
IEC143I 213-85, … RC=X’00000008′,RSN=X’0000271C’
You may need to refresh the in memory copy of the PKDS.
IEC614I … RC 192, DIAGNOSTIC INFORMATION IS (040343C9)
You need to know to look up the last 4 digits 43c9 in DFSMS Diagnostic aids. The code means SMS-managed volumes specified for non-SMS request.
You can use the operator command D SMS,VOL(USER00), to list one volid. If this is SMS managed, it gives the storage group name. If it is not SMS managed it gives: IGD005I COMMAND REJECTED VOLUME …… IS NOT AN SMS MANAGED DASD VOLUME .
Note: The command d sms,sg(All),listvol lists all volumes defined to SMS – even though they may not exit on the z/OS IMAGE.
MQ applications
IEW2456E SYMBOL CSQB1CON UNRESOLVED.
IEW2456E SYMBOL CSQB1DSC UNRESOLVED.
Was using cc to compile in Unix Services, and had Binder option dll. The compiler did not have this option, and so gave this message.
I used
cc -c -o c.o -Wc,SO,LIST(lst),SHOWINC,SSCOM,DLL,LSEARCH(‘COLIN.MQ924.SCSQC370′) -I //’COLIN.MQ924.SCSQC370’ c.c
cc -o mqsamp -V -Wl,LIST,MAP,INFO,DYNAM=DLL,AMODE=31 //’COLIN.MQ924.SCSQDEFS.OBJ(CSQBMQ1)’ c.o
Note I had to create the COLIN.MQ924.SCSQDEFS.OBJ, when using the xlc compiler.
IOEZ00312I Dynamic growth of aggregate ZFS.USERS in progress,
IOEZ00329I Attempting to extend ZFS.USERS by a secondary extent.
IEF196I IEC070I 104-204,OMVS,OMVS,SYS00022,0A9E,C4USS2,ZFS.USERS,
IEF196I IEC070I ZFS.USERS.DATA,CATALOG.Z24C.MASTER
IEC070I 104-204,OMVS,OMVS,SYS00022,0A9E,C4USS2,ZFS.USERS, 588
IEC070I ZFS.USERS.DATA,CATALOG.Z24C.MASTER
IOEZ00445E Error extending ZFS.USERS. DFSMS return code = 104, PDF code = 204.
MSG IEC070I 104-204 data set would exceed 4 gig if extended.
z/OS
CCN0629(U) DD:SYSLIN has invalid attributes.
CCN0703(I) An error was encountered in a call to fopen() while processing DD:SYSLIN.
We got these when compiling a C program, and using SYSLIN.
The problem is that the procedures such as EDCCBG, have
//SYSLIN .. DCB=(RECFM=FB,LRECL=80,BLKSIZE=3200)
when the data set had a blksize of more than 3200 (eg 27920). It sees and reports the mismatch.
Unix services
FSUM7332 syntax error: got Word, expecting )
I was trying to use a Python virtual environment and used the command
. env/bin/activate
The problem was the code page of the file.
I needed
export _BPXK_AUTOCVT=ON
I put this in my .profile file/
openssl
I got the following using x3270.
Use export SSL_VERBOSE_ERRORS=”1″ to get more info
Error: SSL: Private key file load ("...") failed:
error:0909006C:PEM routines:get_name:no start line
Using
openssl s_client -connect 10.1.1.2:2023 -cert … -certform PEM
gave more info
unable to load client certificate private key file
error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
I needed certificate and key, for example
x3270 -port 2023 -trace -tracefile x3270.trace -certfile ~/ssl/ssl2/colinpaice.pem –keyfile /home/colinpaice/ssl/ssl2/colinpaice.key.pem 10.1.1.2
Z/OS
IEE535I … INVALID PARAMETER
I had
TRACE CT,WTRSTART=CTWTR
IEE535I TRACE INVALID PARAMETER
TRACE CT,WTRSTART=CTWTR,WRAP
ITT038I … WERE SUCCESSFULLY EXECUTED.
The first command was copied from a document. It had a trailing non blank space (x41). Remove it and the command works.
Try pasting the command into an ISPF edit session and using hex on to display the command.
EDC5164I SAF/RACF error. errno2 rs 199754829 0be8044d 0x0b8044d
I got this when I was trying to authentic using pthread_security_applid_np, and the certificate sent up did not have a subject DN.
The lack of subject DN was caused by commonName = supplied being missing in openssl when doing openssl ca … -policy signing_policy.
BPX1SOC TTLS_INIT_CONNECTION rv -1 rc ECONNRESET(1121) rs 2007593789 (0x77a9733d) 77a9733d EDC8121I Connection reset
The bpxmtext 77a9733d gives
TCPIP
JrTtlsHandshakeFailed: AT-TLS was unable to successfully negotiate a secure
TCP connection with the remote end.
Action: Review message EZD1286I for more information about the error.
On syslog was
EZD1287I TTLS Error RC: 403 Initial Handshake
Where 403 is The required certificate was not received from the communication partner.
The Wireshark output had a Certificate flow from the client to the server. This had no certificate in it.
The reason for this was,
- the client had an RSA certificate
- the Signature Hash Algorithms sent from the server did not include RSA.
The client was thus unable to send a certificate matching the SHA.
If I specified RSA only signature pairs, I could only use an RSA certificate. An Elliptic Curve certificate (ECDSA) had the same message and error code.
BPX1BND rv -1 rc EADDRINUSE(1115) rs 1951167047 (0x744c7247) EDC8115I Address already in use.
Because a program may not know that the “FIN” (end of conversation) has got to the other end, a socket enters a TIMEWAIT state. The IBM documentation says
If the server cannot wait for one to four minutes, you can use the setsockopt() call in the server to specify SO_REUSEADDR before it issues the bind() call. In that case, the server will be able to bind its socket to the same port number it was using before, even if the TIMEWAIT period has not elapsed. However, the TCP protocol layer still prevents it from establishing a connection to the same partner socket address. As clients normally initiate connections and clients use ephemeral port numbers, the likelihood of this is low.
BPX1SND rv -1 rc EOPNOTSUPP(1112) rs 1977578120 (0x75df7288) EDC8112I Operation not supported on socket.
I got this trying to issue bpx1snd() when there was data in the receive buffer. I used bpx1rcv to read the data, and the problem went away.
I peeked at the data before getting it, so I knew the length of the data to get, and so avoided waiting for data.
char buf[4000];
int lbuff = sizeof(buf);
int alet = 0;
int flags = MSG_PEEK;
BPX1RCV( &sd, // socket desciptor
&lbuff,
&buf,
&alet,
&flags,
&rv, // -1 or number of bytes
&rc,
&rs);
printf("BPX1RCV Peek bytes %d data... \n",rv );
lbuff = rv; // the number of bytes in the buffer
flags = 0 ;
BPX1RCV( &sd, // socket descriptor
&lbuff,
&buf,
&alet,
&flags,
&rv, // -1 or number of bytes
&rc,
&rs);
printf("BPX1RCV bytes %d data... \n",rv );
BPXF135E RETURN CODE 00000079, REASON CODE 055B005C
I got this using the command
MOUNT FILESYSTEM(‘COLIN.ZFS2’) TYPE(ZFS) MOUNTPOINT(‘/u/ibmuser/temp’ )
code 79 is invalid. The 005b005c means already in use. Either
- COLIN.ZFS2 is already mounted
- there is something else mounted on /u/ibmuser/temp
You can use the D OMVS,F command to display the file system and where they are mounted.
BPXF135E RETURN CODE 00000081, REASON CODE 053B006C
May because the file system is mounted READ and it needs to be RDWR.
BPXMTEXT 053B006C -> JRFileNotThere: The requested file does not exist.
Problem 1
I had MOUNTPOINT(‘/u/ibmuser/test’ ) (which did not exit) not the correct MOUNTPOINT(‘/u/ibmuser/temp’ )
Problem 2
I was trying to mount it at /my. I had to go into Unix and issue mkdir /my only then could I mount the file system.
BPXF137E RETURN CODE 00000079, REASON CODE 0588002E.
THE UNMOUNT FAILED FOR FILE SYSTEM …
002E is JRFilesysNotThere. Check the file system is mounted
BPXF137E RETURN CODE 00000072, REASON CODE 058800AA
BPXF137E RETURN CODE 00000072 (the resource is busy) , REASON CODE 058800AA JRFsParentFs The file system has file systems mounted on it.
I was trying to unmount a ZFS file systemm, and got the above messages. It means you cannot unmount it, because you have other file systems attached to it. On the z/OS console it had
BPXF271I FILE SYSTEM ZFS.USERS
FAILED TO UNMOUNT BECAUSE IT CONTAINS MOUNTPOINT DIRECTORIES FOR
ONE OR MORE OTHER FILE SYSTEMS WHICH MUST BE UNMOUNTED FIRST,
INCLUDING FILE SYSTEM COLIN.ZFS2
I used
unmount filesystem('COLIN.ZFS2') Immediate
and got message on the console
IOEZ00048I Detaching aggregate COLIN.ZFS2
RACF
ICH409I 500-002 ABEND
RACF abended S 500 00000002. I had problems with the RACF database. I carefully reallocated it using
//IBMCOPYR JOB 1,MSGCLASS=H
//STEP EXEC PGM=IEFBR14
//SYSUT1 DD SPACE=(CYL,(10,10),RLSE),
// DCB=(LRECL=4096,RECFM=F),DISP=(MOD,DELETE),
// DSN=SYS1.COLIN.RACFDB.Z31B
//STEP EXEC PGM=IRRUT200 PARM=ACTIVATE
//SYSRACF DD DSN=COLIN.RACFDB.NEW,DISP=SHR
//SYSUT1 DD SPACE=(CYL,(70),,CONTIG),
// DCB=(DSORG=PS),DISP=(NEW,CATLG),
// DSN=SYS1.COLIN.RACFDB.Z31B
/*
//SYSUT2 DD SYSOUT=A
//SYSPRINT DD SYSOUT=A
//SYSIN DD *
INDEX
MAP
END
/*
and it worked.
ICH15004I BACKUP DATASET CAN NOT BE SWITCHED; dsname IGNORED
#rvary list gave me
ACTIVE USE NUM VOLUME DATASET
------ --- --- ------ -------
YES PRIM 1 B3CFG1 SYS1.RACFDS
YES BACK 1 B3USR1 SYS1.COLIN.RACFDB.Z31B
I used rvary switch,dataset(SYS1.COLIN.RACFDB.Z31B) and got the above message.
I should have just used rvary switch.
ICH21053I Unexpected return code=00000004 and reason code=00000000 from IBM MFA while processing user …
I stopped and restarted the AZF server AZF#in00 and the problem went away.
ICH408I USER(…) GROUP(…) NAME(ADCDA )NOT AUTHORIZED TO ADMINISTER DIGITAL CERTIFICATES OR CERTIFICATE REQUESTS. READ DENIED
and
IKYI002I SAF Service IRRSPX00 Returned SAF RC = 8 RACF RC = 8 RACF RSN = 8 Request denied, not authorized.
This can be caused a user not having access, or by the wrong userid being used:
User not having access
The user issuing the request was not authorised to IRR.RPKISERV.PKIADMIN CLASS(FACILITY).
Note what the message says
- READ DENIED
- UPDATE DENIED
Use
tso rlist facility irr.RPKISERV.PKIADmin auth
and connect the userid ( if required) to a group or give the required access with
PERMIT IRR.RPKISERV.PKIADMIN CLASS(FACILITY)
ID(ADCDA ) ACCESS(read )
setropts raclist(FACILITY) refresh
The wrong userid being used
In Http I had
<files qc2.rexx>
AuthName SAFSurrogateUser
AuthType Basic
AuthBasicProvider saf
Require valid-user
SAFRunAs PKISERV
</files>
This worked fine.
I created a new rexx exec, without a defintion, and this caused the error messages because it ran with the WEBSRV userid, which did not have access, and so failed.I changed the SAFRunAs to %%CLIENT%% and it worked.
FSUM7351 not found
echo: /usr/lpp/ihsa_zos/bin/apachectl 88: FSUM7351 not found
At line 88 in the file, the command “echo” was not found. Check the path and libpath and check that /bin:/usr/sbin: are both specified
EZD0860I Stack INET is not available : errno 1011 (EDC8011I A name of a PFS was specified that either is not configured or is not a Sockets PFS.) errnojr 0x11B3005A
Programs like TCPIP ipsec could not find the default IP name.
For example /etc/resolv.conf was missing TCPIPJOBNAME
nameserver 127.0.0.1
TCPIPJOBNAME TCPIP
See Configuring TCPIP.DATA, Configuration statements in TCPIP.DATA, and TCPIPJOBNAME.
EZY2642E Unknown keyword:
I got this with FTP
EZY2642E Unknown keyword: PASSIVEDATAPORTS(8000,8100)
There needs to be a blank between PASSIVEDATAPORTS and the values (8000,8100)
PASSIVEDATAPORTS (8000,8100)
IKJ56529I SYMBOLIC PARMS IN VALUE LIST IGNORED
IKJ56529I COMMAND PROCEDURE HAS NO PROC STMT
In my TSO rexx program I had
/* REXX */
address tso
if userid = "" then userid = SYSVAR("SYSUID")
say "userid="userid"."
x = outtrap("var.")
"TSO RACDCERT LISTRING(TN3270) ID(PAICE)"
and got
IKJ56529I SYMBOLIC PARMS IN VALUE LIST IGNORED – RACDCERT LISTRING(TN3270) ID(START1 )+
IKJ56529I COMMAND PROCEDURE HAS NO PROC STMT
The problem was the TSO in front of the command. In effect the command was
address tso TSO RACDCERT LISTRING(TN3270) ID(PAICE)
and the TSO Command processor was unable to parse the statement.
Removing the TSO in “TSO RACDCERT LISTRING(TN3270) ID(PAICE)” solved the problem
DFDSS messages
ADR374E (001)-OPNCL(14), UNABLE TO OPEN DDNAME TARGET, 14
The target data set had a RACF profile which meant it would be encrypted. For example had
DFP INFORMATION
---------------
RESOWNER= NONE
DATAKEY= COLINBATCHAES
Action: Use a different data set name.
ADR412E DATA SET …IN CATALOG … ON VOLUME … FAILED SERIALIZATION
You need TOL(ENQF)
DUMP -
DATASET(INCLUDE(USER.Z25D.PROCLIB -
USER.Z25D.PARMLIB -
USER.Z25D.CLIST )-
) -
TOL(ENQF) -
OUTDDNAME(TARGET) -
COMPRESS
ADR380E DATA SET … NOT PROCESSED, 31
Code 31 means it did not know where to put it. Use
//S1 EXEC PGM=ADRDSSU,REGION=0M PARM='TYPRUN=NORUN'
//TARGET DD DSN=COLIN.BACKUP.CSF,DISP=SHR
//SYSPRINT DD SYSOUT=*
//DASD2 DD UNIT=3390,VOL=(PRIVATE,SER=D5CFG1),DISP=OLD
//SYSIN DD *
RESTORE -
DATASET(INCLUDE(CSF.**) ) -
REPLACE -
OUTDDNAME(DASD2 ) -
INDDNAME(TARGET)
/*
DATASET(INCLUDE(CSF.*) ) - REPLACE - OUTDDNAME(DASD2 ) - INDDNAME(TARGET) /
ADR380E DATA SET … NOT PROCESSED, 18
Code 18 means you need replace
//S1 EXEC PGM=ADRDSSU,REGION=0M PARM='TYPRUN=NORUN'
//TARGET DD DSN=COLIN.BACKUP.CSF,DISP=SHR
//SYSPRINT DD SYSOUT=*
//DASD2 DD UNIT=3390,VOL=(PRIVATE,SER=D5CFG1),DISP=OLD
//SYSIN DD *
RESTORE -
DATASET(INCLUDE(CSF.**) ) -
OUTDDNAME(DASD2 ) -
REPLACE -
INDDNAME(TARGET)
/*
AZF2606E Failed to listen on loopback address (port:…. rc:112, rsn:0x112b00b6)
rc:112 means EAGAIN – resource temporarily unavailable.
112b and 00b6
I got this when TCPIP was down, and so a connect to a socket failed.
TSO
IKJ56251I USER NOT AUTHORIZED FOR SUBMIT
The userid needs access to JCL
permit JCL class(TSOAUTH)id(COLIN) access(REAd)
permit CONSOLE class(TSOAUTH)id(COLIN) access(REAd)
setropts raclist(TSOAUTH) refresh
setropts raclist(ACCTNUM) refresh
Binder
IEW2469E 9907 THE ATTRIBUTES OF A REFERENCE TO … FROM SECTION … DO NOT MATCH THE ATTRIBUTES OF THE TARGET SYMBOL. REASON 2
Message IEW2469E reason 2 is The xplink attributes of the reference and target do not match.
I was compiling this from a 64 bit C program (so is XPLINK). I needed a
#pragma linkage(IRR… ,OS)
in my program to say the program is a stub/ assembler program.
VSAM
IDC3009I ** VSAM CATALOG RETURN CODE IS 80 – REASON CODE IS IGG0CLAT-4
DEFINE PATH -
(NAME( COLIN.ISM400.UTIL.ZFS ) -
PATHENTRY( ISM400.UTIL.ZFS ))
IDC3022I INVALID RELATED OBJECT
IDC3009I ** VSAM CATALOG RETURN CODE IS 80 – REASON CODE IS IGG0CLAT-4
IDC3003I FUNCTION TERMINATED. CONDITION CODE IS 12
it needs
DEFINE PATH -
(NAME( COLIN.ISM400.UTIL.ZFS ) -
PATHENTRY( ISM400.UTIL.ZFS )) -
CATALOG(USERCAT.Z25D.PRODS)
Abend 0C4 in CELQLIB
I got SYSTEM COMPLETION CODE=0C4 REASON CODE=00000010 while my program was starting up.
This was caused by having a 64 bit C program linkedited with
// BPARM='SIZE=(900K,124K),RENT,LIST,RMODE=ANY,AMODE=31'
instead of AMODE=64.
AWSEMI307I Warning! Disabled Wait CPU 0 = 00020000 00000000 00000000 00000088
I got this WAIT088 reIPLing a system after a migration. It is described here. It means I did not have a LOADxx member corresponding to the IPL parm with xx.
This is not to be confused with System Abend code 088 (in the same manual) The auxiliary storage manager (ASM) detected a paging I/O error when attempting to read from or write to storage-class memory (SCM). Which is an Abend code, not a wait code.
C compiler
ERROR CCN3166 file:line Definition of function … requires parentheses
I had code
#include <findkey.h>
#include <keytype.h>
I had a definition typedef union keyTYPE…. in keytype.h but I used it in findkey before it was defined.
Solution:
Move the definition before use, or add #include <keytype.h> at the start of findkey.h
ERROR CCN3277 COLIN.ICSF.C.HELPERS(KEYTEST):31 Syntax error: possible missing
ERROR CCN3045 COLIN.ICSF.C.HELPERS(KEYTEST):32 Undeclared identifier rule.
At list 31 in COLIN.ICSF.C.HELPERS(KEYTEST) I had
char8 rule[2] = {"AES ","KEY-LEN "};
but char8 was not defined.
In my program I then defined typedef char char8[8]; and it worked. The clue was in the second message – not the first.
I put the following in my code
#ifndef char8
#error char8 not defined
#endif
and the compilation produced
ERROR CCN3205 COLIN.ICSF.C(DELETE):36 char8 not defined
Abend S206-c0
I got the system 20c abend rc c0. The documentation says A parameter was not addressable or was in the wrong storage key.
I got this compiling a 64 bit C program, which was not XPLINK. I changed EDCCB to EDCQCB, and it worked.
EINVAL 0x0717014A
I was getting 0717014A when using shmatt. Eventually I changed my program to be 64 bit and it worked. ( I compiled it with EDCQCB <Compile, bind, and run a 64-bit C program>). It may be the original shared memory was defined in 64 bit mode.
TCP/IP
EZZ8342I gethostbyname(ABCD: Unknown host)
The names server had not been set up properly.
F RESOLVER,display
gives information like
F RESOLVER,DISPLAY
EZZ9298I RESOLVERSETUP - ADCD.Z31B.TCPPARMS(GBLRESOL)
EZZ9298I DEFAULTTCPIPDATA - ADCD.Z31B.TCPPARMS(GBLTDATA)
EZZ9298I GLOBALTCPIPDATA - ADCD.Z31B.TCPPARMS(GBLTDATA)
EZZ9298I DEFAULTIPNODES - ADCD.Z31B.TCPPARMS(ZPDTIPN1)
EZZ9298I GLOBALIPNODES - ADCD.Z31B.TCPPARMS(ZPDTIPN1)
EZZ9304I COMMONSEARCH
EZZ9304I CACHE
EZZ9298I CACHESIZE - 200M
EZZ9298I MAXTTL - 2147483647
EZZ9298I MAXNEGTTL - 2147483647
EZZ9304I NOCACHEREORDER
EZZ9298I UNRESPONSIVETHRESHOLD - 25
EZZ9293I DISPLAY COMMAND PROCESSED
The configuration file is RESOLVERSETUP – ADCD.Z31B.TCPPARMS(GBLRESOL).
The definitions of for the local name server are in DEFAULTIPNODES and GLOBALIPNODES.
You can either change one of these files, and use the command
F RESOLVER,refresh
to pick up the change. I did not want to change “production” so
- I copied ADCD.Z31B.TCPPARMS(GBLRESOL) to USER.Z31B.TCPPARMS(GBLRESOL).
- Created USER.Z31B.TCPPARMS(ZPDTIPN1) from ADCD.Z31B.TCPPARMS(ZPDTIPN1) , and added in my changes
- Changed USER.Z31B.TCPPARMS(GBLRESOL) to have DEFAULTIPNODES – USER.Z31B.TCPPARMS(ZPDTIPN1)
- Made the change active F RESOLVER,refresh,setup=’user.Z31B.TCPPARMS(GBLRESOL)’
When it worked, I copied my change from USER.Z31B.TCPPARMS(ZPDTIPN1) to ADCD.Z31B.TCPPARMS(ZPDTIPN1), and used F RESOLVER,refresh,setup=’user.Z31B.TCPPARMS(GBLRESOL)’ to go back to the system definitions.
IEF450I GPMSERVE GPMSERVE – ABEND=S0C4 U0000 REASON=00000011
After I got this message I started RMF, and used F RMF,START III and it worked successfully.
ERB944I Report is not available, reason code 3.
Using the RMF III option ZFSSUM I got the message, which has
3 Backlevel data or no data from the zFS interface.
I could not find what the problem was. I did wonder if it was because I had ZFS running within the OMVS address space (for performance), and so RMF could not find the ZFS job.
ColinPaice 