Missing Root with Connect Direct

Document ID : KB000015401
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Resolving a missing root certificate condition with Connect Direct

Question:

Having problem establishing an SSL Connect Direct. Sent an SSLTRACE to IBM and they came back with the following:

 

Server sent a chain of 3 certs, sysa.fnfismd.com which was signed by Intermediate cert Symantec class 3 Secure Server CA - G4 which was signed by Root cert Verisign Class 3 Public Primary Certification Authority - G5. The issue is an Alert 42 which is occuring because the Root certificate is not in the keyring 'FRB KEY RING OUT BOUND'
so we can't authenticate the certificates sent by the server.

The root cert from Black Knight, Verisign Class 3 Public Primary Certification Authority - G5, is not loaded in your
Key ring FRB KEY RING OUT BOUND.

Work with your Security person to ensure the Root certificate is loaded and try the process again.  

Answer:

Need to add the missing root certificates to Connect Direct's started task acids keyring:

TSS ADD(CONNECT) KEYRING(CDRING) RINGDATA(CERTAUTH,ROOT1) USAGE(CERTAUTH)
TSS ADD(CONNECT) KEYRING(CDING) RINGDATA(CERTAUTH,ROOT2) USAGE(CERTAUTH)