CA XCOM XCOMU0780E Txpi 308: TxpiInitSSL SSL3_READ_BYTES:sslv3 alert certificate expired

Document ID : KB000003932
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

When sending from the mainframe to Linux or UNIX, the following message is displayed:

XCOMU0780E Txpi  308: TxpiInitSSL Failed msg = <error:14094415:SSL 
routines:SSL3_READ_BYTES:sslv3 alert certificate expired +++ SSL alert number  
45> value = 0:

A loopback transfer on Linux or UNIX side generates this message:

XCOMU0298E Unable to allocate remote transaction program: Txpi  215:rv=9
Cause:

One or more of the certificates has expired.

Resolution:

The problem is on the UNIX or Linux side because the error message has a U in the 5th position indicating where the error originated.  Run listca, listclient and listserver on Linux or UNIX to verify which one of these certificates has expired. It is possible for one of more of the certificates to be fine and the other(s) expired.

If one of the certificates is expired, all the certificates on that machine must be regenerated.

The overview of the steps to do that are:

  • Backup the current root certificate and key
  • Delete the current certificates
  • Set the parameters for the new expiration date
  • Run makeca
  • Restore the original casslkey.pem and cassl.pem files
  • Run makeclient, makeserver

Backup the current root certificate and key

These are the private/casslkey.pem and certs/cassl.pem files.  You must save these because these files must match on both partners (and on all the partners sending SSL files to one another). 

Delete the current certificates

Before you regenerate the certificates, you must delete the existing certificates.

** Be very careful with this **

Manually delete the CERTS & PRIVATE subdirectories that are in the SSL subdirectory under your XCOM install directory.

You also need to delete the following files:

all index.* files in the SSL subdirectory
all serial.* files in the SSL subdirectory
the random.pem file in the SSL subdirectory

Set the parameters for the new expiration date

To do this, you specify how long, in days, the certificate will be valid.

For example, to extend the certificates for 1 year, do the following. (You may also choose any other time period you want, for example, 2 years, 10 years.)

Edit the parameter "default_days=" in the [CA-XCOM] section of the cassl.conf file and set to 365. Save the cassl.conf file.

Modify makeca.bat also to add -day 365 at the end of the OPENSSL command:

Openssl req x509 newkey rsa out ./certs/cassl.pem outform PEM -days 365

Run makeca

Create the Certificate Authority certificate.

Restore the original root certificate and key

Copy the saved casslkey.pem to the private directory and the cassl.pem file to the certs directory.  This will overlay the dummy casslkey.pem and cassl.pem files that makeca just created.

Run makeclient, makeserver

Run the makeclient and makeserver scripts again to regenerate the certificates with the new expiration date