XCOMM0780E Txpi 320 IRRSDL00 No matching certificate label found for KEYRING=<XCOMRING> CERTLABEL=<XCOMXXXXX>

Document ID : KB000004054
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

We get this message whenever we initiate a encrypted file transfer using CA XCOM with RACF security. 

Txpi 308: TxpiInitSSL Failed msg = <error:00000000:lib(0):func(0):reason(0)> value = 4294967295 TxpiInitClientSSL: client_ctx failed

We also receive this message:

XCOMM0780E Txpi 320 IRRSDL00 No matching certificate label found for KEYRING=<XCOMRING> CERTLABEL=<XCOMXXXXX>

Environment:
IBM RACF
Cause:

CA XCOM requires that the certificate have a private key. Without a private key XCOM discards certificates and generates the XCOMM0780E error. However, you cannot add a private key when using RACF if the certificate is in PEM format. 

Resolution:

RACF does support private keys for PKCS12 format. The resolution is to convert the certificates to PKCS12 format.

Converting PEM certificates to PKCS12 Format

PEM certificates can be converted to PKCS12 using the OpenSSL utility available through OpenSSL project at www.openssl.org. Note that the utility is also distributed with XCOM. For XCOM for z/OS, it's in the openssl directory which is part of the tar file that included the sample configssl.cnf file. 
With CA XCOM for Windows and Unix and LINUX it's included with the XCOM executables. 

The syntax of the openssl command for the conversion is:

openssl pkcs12 -export -in cert.pem -inkey key.pem -out cred.p12

where cert.pem is the certificate, key.pem is the private key and cred.p12 is the output file. Note that if the private key is encrypted you will be prompted for the pass phase. You will also be prompted for an export password which you will then need to pass to RACF when you import the cred.p12 file.