We are applying Keyring to CA-LDAP server and this is the error in the log. STC fails with RC=256

Document ID : KB000006890
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

We are implementing SSL security to the CA LDAP server.  We added a keyring in CA ACF2

KEYRING / LDAP.RING LAST CHANGED BY SECADM ON mm/dd/yy-hh:mm 
DEFAULT(ACF2LDAP.CERT) RINGNAME(LDAPRING) 

In the LDAP parameters, we added the ringname

TLSKeyringName STCLDAP/LDAPRING    <=== STCLDAP is the started task name of the server

When we start the STC, it fails with RC=256.  We see this error in the STDERR.

TLS: could not initialize environment handle. 
TLS: Error detected while opening the certificate database 
main: TLS init def ctx failed: -1 

The OMVS SECTRACE shows:

N 4000000 YYYY 17158 10:04:07.48 S0100008 00000094 CAS2206I Function=DataGetFirst ,Userid=STCLDAP 
N 4000000 YYYY 17158 10:04:07.48 S0100008 00000094 CAS2206I Ring Name=LDAPRING 
N 4000000 YYYY 17158 10:04:07.49 S0100008 00000094 CAS2205I REQUEST=R_datalib ,EXIT=POST,RC=8/8:84 

N 4000000 YYYY 17158 10:04:07.49 S0100008 00000094 CAS2205I REQUEST=R_datalib ,EXIT=PRE ,RC=N/A  

 

Environment:
CA ACF2CA LDAPz/OS
Cause:

The normal convention used in naming the KEYRING record is the owner is specified.  The owner would be the logonid used

KEYRING / STCLDAP.RING LAST CHANGED BY SECADM ON mm/dd/yy-hh:mm 
DEFAULT(ACF2LDAP.CERT) RINGNAME(LDAPRING) 

But in this case, the name chosen was LDAP.RING, not STCLDAP.RING

KEYRING / LDAP.RING LAST CHANGED BY SECADM ON mm/dd/yy-hh:mm 
DEFAULT(ACF2LDAP.CERT) RINGNAME(LDAPRING)

Resolution:

There are two choices.  One is to have a keyring record with the real owner:

KEYRING / STCLDAP.RING LAST CHANGED BY SECADM ON mm/dd/yy-hh:mm 

DEFAULT(ACF2LDAP.CERT) RINGNAME(LDAPRING) 

 

The other choice is to correct the LDAP parameters and have the owner of the keyring;

TLSKeyringName LDAP/LDAPRING

 

Additional Information:

The same problem would have occurred if only the ringname was specified in the LDAP parms, which is valid to do.

TLSKeyringName  LDAPRING