SSL initialization messages

The following messages display as a result of initialization problems:

• SSL0100E: GSK could not initialize, <errorCode>

  • Reason: Initialization failed when the SSL library returned an unknown error.

  • Solution: None. Report this problem to Service.

• SSL0101E: GSK could not initialize, Neither the password nor the stash file name was specified. Could not open key file.

  • Reason: The stash file for the key database could not be found or is corrupted.

  • Solution: Use IKEYMAN to open the key database file and recreate the password stash file.

• SSL0102E: GSK could not initialize, Could not open key file.

  • Reason: The server could not open the key database file.

  • Solution: Check that the Keyfile directive is correct and that the file permissions allow the Web server user ID to access the file.

• SSL0103E: Internal error - GSK could not initialize, Unable to generate a temporary key pair.

  • Reason: GSK could not initialize; Unable to generate a temporary key pair.

  • Solution: Report this problem to Service.

• SSL0104E: GSK could not initialize, Invalid password for key file.

  • Reason: The password retrieved from the stash file could not open the key database file.

  • Solution: Use IKEYMAN to open the key database file and recreate the password stash file. This problem could also result from a corrupted key database file. Creating a new key database file may resolve the problem.

• SSL0105E: GSK could not initialize, Invalid label.

  • Reason: Specified key label is not present in key file.

  • Solution: Check that the SSLServerCert directive is correct, if coded, and that the label is valid for one of the keys in the key database.

• SSL0106E: Initialization error, Internal error - Bad handle

  • Reason: An internal error has occurred.

  • Solution: Report this problem to Service.

• SSL0107E: Initialization error, The GSK library unloaded.

  • Reason: A call to the GSKit function failed because the dynamic link library unloaded (Windows only).

  • Solution: Shut down the server and restart.

• SSL0108E: Initialization error, GSK internal error.

  • Reason: The communication between client and the server failed due to an error in the GSKit library.

  • Solution: Retry connection from the client. If the error continues, report the problem to Service.

• SSL0109E: GSK could not initialize, Internal memory allocation failure.

  • Reason: The server could not allocate memory needed to complete the operation.

  • Solution: Take action to free up some additional memory. Try reducing the number of threads or processes running, or increasing virtual memory.

• SSL0110E: Initialization error, GSK handle is in an invalid state for operation.

  • Reason: The SSL state for the connection is invalid.

  • Solution: Retry connection from the client. If the error continues, report the problem to Service.

• SSL0111E: Initialization error, Key file label not found.

  • Reason: Certificate or key label specified was not valid.

  • Solution: Verify that the certificate name specified with the SSLServerCert directive is correct or, if no SSLServerCert directive was coded, that a default certificate exists in the key database.

• SSL0112E: Initialization error, Certificate is not available.

  • Reason: The client did not send a certificate.

  • Solution: Set Client Authentication to optional if a client certificate is not required. Contact the client to determine why it is not sending an acceptable certificate.

• SSL0113E: Initialization error, Certificate validation error.

  • Reason: The received certificate failed one of the validation checks.

  • Solution: Use another certificate. Contact Service to determine why the certificate failed validation.

• SSL0114E: Initialization error, Error processing cryptography.

  • Reason: A cryptography error occurred.

  • Solution: None. If the problem continues, report it to Service.

• SSL0115E: Initialization error, Error validating ASN fields in certificate.

  • Reason: The server was not able to validate one of the ASN fields in the certificate.

  • Solution: Try another certificate.

• SSL0116E: Initialization error, Error connecting to LDAP server.

  • Reason: The Web server failed to connect to the CRL LDAP server.

  • Solution: Verify that the values entered for the SSLCRLHostname and SSLCRLPort directives are correct. If access to the CRL LDAP server requires authentication, is the SSLCRLUserID directive coded and was the password added to the stash file pointed to by the SSLStashfile directive.

• SSL0117E: Initialization error, Internal unknown error. Report problem to service.

  • Reason: Initialization error, Internal unknown error. Report problem to service.

  • Solution: Initialization error, Internal unknown error. Report problem to service.

• SSL0118E: Initialization error, Open failed due to cipher error.

  • Reason: Report problem to service.

  • Solution: Report problem to service.

• SSL0119E: Initialization error, I/O error reading keyfile.

  • Reason: I/O error trying to read SSL keyfile.

  • Solution: Check the file permissions for keyfile.

• SSL0120E: Initialization error, Keyfile has and invalid internal format. Recreate keyfile.

  • Reason: Initialization error, the keyfile has an invalid internal format. Recreate the keyfile.

  • Solution: Verify the keyfile is not corrupted.

• SSL0121E: Initialization error, Keyfile has two entries with the same key. Use Ikeyman to remove the duplicate key.

  • Reason: The keyfile has two entries with the same key. Use Ikeyman to remove the duplicate key.

  • Solution: Use Ikeyman to remove the duplicate key.

• SSL0122E: Initialization error, Keyfile has two entries with the same label. Use Ikeyman to remove the duplicate label.

  • Reason: The keyfile has two entries with the same label. Use Ikeyman to remove the duplicate label.

  • Solution: Use Ikeyman to remove the duplicate label.

• SSL0123E: Initialization error, The keyfile password is used as an integrity check. Either the keyfile has become corrupted or the password is incorrect.

  • Reason: The keyfile password is used as an integrity check. Either the keyfile has become corrupted or the password is incorrect.

  • Solution: Use Ikeyman to verify that the keyfile is valid, check permissions on the stash file, verify passwords.

• SSL0124E: SSL Handshake Failed, Either the default key in the keyfile has an expired certificate or the keyfile password expired. Use iKeyman to renew or remove certificates that are expired or to set a new keyfile password.

  • Reason: Either the default key in the keyfile has an expired certificate or the keyfile password expired.

  • Solution: Use iKeyman to renew or remove certificates that are expired or to set a new keyfile password.

• SSL0125E: Initialization error, There was an error loading one of the GSK dynamic link libraries. Be sure GSK is installed correctly.

  • Reason: There was an error loading one of the GSK dynamic link libraries. Be sure GSK is installed correctly.

  • Solution: Verify GSK is installed and appropriate level for release of IBM HTTP Server.

• SSL0126E: Handshake Failed, Either the certificate has expired or the system clock is incorrect.

  • Reason: Either the certificate expired or the system clock is incorrect.

  • Solution: Use the key management utility (iKeyman) to recreate or renew your server certificate or change the system date to a valid date.

• SSL0127E: Initialization error, No ciphers specified.

  • Reason: Initialization error, no ciphers specified.

  • Solution: Report problem to service.

• SSL0128E: Initialization error, Either the certificate expired or the system clock is incorrect.

  • Reason: Initialization error, no certificate.

  • Solution: Report problem to service.

• SSL0129E: Initialization error, The received certificate was formatted incorrectly.

  • Reason: The received certificate is formatted incorrectly.

  • Solution: Use Ikeyman to validate certificates used for connection.

• SSL0130E: Initialization error, Unsupported certificate type.

  • Reason: Unsupported certificate type.

  • Solution: Check certificates that are used for this connection in Ikeyman.

• SSL0131I: Initialization error, I/O error during handshake.

  • Reason: I/O error during handshake.

  • Solution: Check network connectivity.

• SSL0132E: Initialization error, Invalid key length for export.

  • Reason: Invalid key length for export.

  • Solution: Report problem to service.

• SSL0133W: Initialization error, An incorrectly formatted SSL message was received.

  • Reason: An incorrectly formatted SSL message was received.

  • Solution: Check client settings.

• SSL0134W: Initialization error, Could not verify MAC.

  • Reason: Could not verify MAC.

  • Solution: Report problem to service.

• SSL0135W: Initialization error, Unsupported SSL protocol or unsupported certificate type.

  • Reason: Unsupported SSL protocol or unsupported certificate type.

  • Solution: Check server ciphers and certificate settings.

• SSL0136W: Initialization error, Invalid certificate signature.

  • Reason: Invalid certificate signature.

  • Solution: Check certificate in Ikeyman.

• SSL0137W: Initialization error, Invalid certificate sent by partner.

  • Reason: Invalid certificate sent by partner.

  • Solution: If this occurs during an SSL Proxy connection, the remote SSL server sent a bad certificate to IBM HTTP Server. Check the certificate and certificate authority chain at the other end of the SSL connection.

• SSL0138W: Initialization error, Invalid peer.

  • Reason: Invalid peer.

  • Solution: Report problem to service.

• SSL0139W: Initialization error, Permission denied.

  • Reason: Permission denied.

  • Solution: Report problem to service.

  • Reason: If a System Authorization Facility (SAF) SSL keyring is in use, the current user ID is not authorized to read the keyring.

  • Solution: See the information about access to SAF keyrings in Perform required z/OS system configurations

• SSL0140W: Initialization error, The self-signed certificate is not valid.

  • Reason: The self-signed certificate is not valid.

  • Solution: Check the certificate in Ikeyman.

• SSL0141E: Initialization error, Internal error - read failed.

  • Reason: Internal error - read failed.

  • Solution: Report to service.

• SSL0142E: Initialization error, Internal error - write failed.

  • Reason: Internal error - write failed.

  • Solution: Report to service.

• SSL0143I: Initialization error, Socket has been closed.

  • Reason: Socket has been closed unexpectedly.

  • Solution: Check the client and network. Report problem to service.

• SSL0144E: Initialization error, Invalid SSLV2 Cipher Spec.

  • Reason: Invalid SSLV2 cipher spec.

  • Solution: Check the SSLCipherSpec directive.

• SSL0145E: Initialization error, Invalid SSLV3 Cipher Spec.

  • Reason: Invalid SSLV3 Cipher Spec.

  • Solution: Check the SSLCipherSpec directive.

• SSL0146E: Initialization error, Invalid security type.

  • Reason: Invalid security type.

  • Solution: Report to service.

• SSL0147E: Initialization error, Invalid security type combination.

  • Reason: Invalid security type combination.

  • Solution: Report to service.

• SSL0148E: Initialization error, Internal error - SSL Handle creation failure.

  • Reason: Internal error - SSL handle creation failure.

  • Solution: Report to service.

• SSL0149E: Initialization error, Internal error - GSK initialization has failed.

  • Reason: Internal error - GSK initialization has failed.

  • Solution: Report to service.

• SSL0150E: Initialization error, LDAP server not available.

  • Reason: LDAP server not available.

  • Solution: Check CRL directives.

• SSL0151E: Initialization error, The specified key did not contain a private key.

  • Reason: The specified key did not contain a private key.

  • Solution: Check the certificate in use in Ikeyman.

• SSL0152E: Initialization error, A failed attempt was made to load the specified PKCS#11 shared library.

  • Reason: A failed attempt was made to load the specified PKCS#11 shared library.

  • Solution: Check SSLPKCSDriver directive and file system.

• SSL0153E: Initialization error, The PKCS#11 driver failed to find the token specified by the caller.

  • Reason: The PKCS#11 driver failed to find the token specified by the caller.

• SSL0154E: Initialization error, A PKCS#11 token is not present for the slot.

  • Reason: A PKCS#11 token is not present for the slot.

  • Solution: Verify PKCS#11 directives.

• SSL0155E: Initialization error, The password/pin to access the PKCS#11 token is invalid.

  • Reason: The password and pin to access the PKCS#11 token is invalid.

• SSL0156E: Initialization error, The SSL header received was not a properly SSLV2 formatted header.

  • Reason: The SSL header received was not a properly SSLV2 formatted header.

• SSL0157E: Initialization error, The function call, %s, has an invalid ID.

  • Reason: The function call, %s, has an invalid ID.

  • Solution: Report problem to service.

• SSL0158E: Initialization error, Internal error - The attribute has a negative length: %s.

  • Reason: Internal error - The attribute has a negative length.

  • Solution: Report problem to service.

• SSL0159E: Initialization error, The enumeration value is invalid for the specified enumeration type: %s.

  • Reason: The enumeration value is invalid for the specified enumeration type: %s.

  • Solution: Report problem to service.

• SSL0160E: Initialization error, The SID cache is invalid: %s.

  • Reason: The SID cache is invalid.

  • Solution: Report problem to service.

• SSL0161E: Initialization error, The attribute has an invalid numeric value: %s.

  • Reason: The attribute has an invalid numeric value: %s.

  • Solution: Check SSL directives.

• SSL0162W: Setting the LD_LIBRARY_PATH or LIBPATH for GSK failed.

  • Reason: Could not update the environment for GSK libraries.

  • Solution: Report problem to service.

• SSL0163W: Setting the LIBPATH for GSK failed, could not append /usr/opt/ibm/gskkm/lib.

  • Reason: Could not append to LD_LIBRARY_PATH or LIBPATH for GSK failed.

  • Solution: Report problem to service.

• SSL0164W: Error accessing Registry, RegOpenKeyEx/RegQueryValueEx returned [%d].

  • Reason: Error accessing registry.

  • Solution: Check GSK installation and windows registry.

• SSL0165W: Storage allocation failed.

  • Reason: Storage allocation failed.

  • Solution: Check memory usage, report problem to service.

• SSL0166E: Failure attempting to load GSK library.

  • Reason: Failure while attempting to load GSK library.

  • Solution: Check the GSK installation.

• SSL0167E: GSK function address undefined.

  • Reason: GSK function address is undefined.

  • Solution: Check the GSK installation and level.

• SSL0168E: SSL initialization for server: %s, port: %u failed due to a configuration error.

  • Reason: Iinitialization for server: %s, port: %u failed due to a configuration error.

  • Solution: Check the SSL configuration.

• SSL0169E: Keyfile does not exist: %s.

  • Reason: Keyfile does not exist.

  • Solution: Check to ensure the path that is provided to the KeyFile directive exists, and is readable by the user that IBM HTTP Server is running as.

• SSL0170E: GSK could not initialize, no keyfile specified.

  • Reason: Keyfile is not specified.

  • Solution: Specify Keyfile directive.

• SSL0171E: CRL cannot be specified as an option for the SSLClientAuth directive on HPUX because the IBM HTTP Server does not support CRL on HPUX.

  • Reason: CRL cannot be specified as an option for the SSLClientAuth directive on HPUX because IBM HTTP Server does not support CRL on HPUX.

  • Solution: Remove CRL directives.

• SSL0172E: If CRL is turned on, you must specify an LDAP hostname for the SSLCRLHostname directive.

  • Reason: If CRL is turned on, you must specify an LDAP hostname for the SSLCRLHostname directive.

  • Solution: Specify SSLCRLHostname.

• SSL0173E: Failure obtaining supported cipher specs from the GSK library.

  • Reason: Failure obtaining supported cipher specs from the GSK library.

  • Solution: Check the GSK installation, report problem to service.

• SSL0174I: No CRL password found in the stash file: %s.

  • Reason: No CRL password is found in the stash file: %s.

  • Solution: Check the stash file permissions, regenerate stash file.

• SSL0174I: No CRYPTO password found in the stash file: %s.

  • Reason: No CRYPTO password is found in the stash file: %s.

  • Solution: Check stash file permissions, regenerate stash file.

• SSL0175E: fopen failed for stash file: %s.

  • Reason: fopen failed for stash file.

  • Solution: Check stash file permissions, regenerate stash file.

• SSL0176E: fread failed for the stash file: %s.

  • Reason: fread failed for the stash file.

  • Solution: Make sure the stash file is readable by user IBM HTTP Server is running as.

• SSL0179E: Unknown return code from stash_recover(), %d.

  • Reason: Unknown return code from stash_recover(), %d.

  • Solution: Check the stash file.

• SSL0181E: Unable to fork for startup of session ID cache.

  • Reason: Unable to fork for startup of session ID cache.

  • Solution: Check the location of sidd daemon, file permissions.

• SSL0182E: Error creating file mapped memory for SSL passwords.

  • Reason: Error creating file mapped memory for SSL passwords.

  • Solution: Report problem to service.

• SSL0183E: Exceeded map memory limits.

  • Reason: Exceeded map memory limits.

  • Solution: Report problem to service.

• SSL0184E: Could not find a password for the resource: %s.

  • Reason: SSL0184E: Could not find a password for the resource: %s.

  • Solution: Report problem to service, disable password prompting.

• SSL0185E: ssl_getpwd() failed, unable to obtain memory.

  • Reason: ssl_getpwd() failed, unable to obtain memory.

  • Solution: Report problem to service, disable password prompting.

• SSL0186E: Linked list mismatch.

  • Reason: SSL0186E: Linked list mismatch.

  • Solution: Report problem to service, disable password prompting.

• SSL0186E: ssl_getpwd() failed, password exceeded maximum size of 4095.

  • Reason: ssl_getpwd() failed, password exceeded the maximum size of 4095.

  • Solution: The password must be smaller than 4K.

• SSL0187E: It is invalid to enable password prompting for the SSLServerCert directive without specifying a Crypto Card Token.

  • Reason: It is invalid to enable password prompting for the SSLServerCert directive without specifying a crypto card token.

  • Solution: Specify a crypto card token or disable password prompting for the SSLServerCert directive.

• SSL0188E: SSL initialization for server: %s, port: %u failed. SSL timeouts cannot be set in a virtualhost when the SSLCacheDisable directive has not been specified globally.

  • Reason: When the SSL session cache is being used, only the global timeout settings apply because they are managed by the external session cache daemon. See information about the SSLCacheDisable and SSLCacheEnable directives in the information center topic entitled SSL directives.

  • Solution: If separate SSL timeouts are required, disable use of the session ID cache (SSLCacheDisable), otherwise make sure the SSLV3Timeout and SSLV2Timeout directives are only set in the global scope.

• SSL0189C: The minimum z/OS level is V1.10 with PTF UA51978.

  • Reason: The z/OS release is too old for the current IBM HTTP Server release.

  • Solution: Use z/OS V1.10 or later with PTF UA51978.

• SSL0191E: Certificate label '%s' in key store %s will expire in %d days.

  • Reason: The specified certificate will expire in the specified number of days

  • Solution: Renew the certificate before it expires.

• SSL0192E: Certificate label '%s' in key store %s is expired.

  • Reason: The specified certificate has expired.

  • Solution: Renew the certificate or remove it from your key store if no longer needed.

  • Note: This message identifier is shared with unrelated message SSL0192W.

• SSL0192W: IBM HTTP Server is configured to permit client renegotiation which is vulnerable to man-in-the-middle attacks <servername:port>

  • Reason: IBM HTTP Server is configured to allow client handshake renegotiation using the SSLInsecureRenegotiation directive. This configuration is vulnerable to man-in-the middle attacks. Use this configuration only if it is necessary for your client and be aware of the risk. For more information about the exposure, refer to the public documentation about CVE-2009-3555.

  • Solution: Remove the SSLInsecureRenegotiation directive or set the directive to OFF to avoid the vulnerability. If proprietary clients require SSL renegotiation to function, update these clients to establish new connections.

  • Note: This message identifier is shared with unrelated message SSL0192E.

• SSL0193W: Error setting GSK_NO_RENEGOTIATION to <GSK_TRUE | GSK_FALSE> <errorcode>

  • Reason: An error occurred when the server attempted to disable client renegotiation. This setting is the default value. However, this value is also set if you specify the SSLInsecureRenegotiation directive with an OFF value.

  • Solution: Report this problem to IBM Support.

• SSL0194C: Cannot enable secure renegotiation with the current level of z/OS

  • Reason: The z/OS System SSL level is too old and does not support TLS secure renegotiation

  • Solution: Upgrade z/OS to a contemporary maintenance level.

• SSL0195W: Error setting Suite B processing mode

  • Reason: Error configuring the underlying cryprographic library for NIST "Suite B" mode.

  • Solution: Disable Suite B by removing SSLSuiteBMode from the configuration or report to service.

• SSL0196W: Error setting GSK_FALLBACK_SCSV

  • Reason: The server could not enable the RFC 7507 support in the underlying security library.

  • Solution: Verify that the bundled GSKit library has not been back-leveled.

• SSL0196I: Security library does not support GSK_SESSION_RESET_CALLBACK, rejecting insecure SSL client renegotiation by monitoring SIDs

  • Reason: When the server attempted to disable client renegotiation, it was determined that the security library on this system does not support GSK_SESSION_RESET_CALLBACK. It will be configured to reject insecure SSL client renegotiation using an alternate mechanism of monitoring SIDs.

  • Solution: This informational message does not indicate a failure, but it reports a configuration condition. An action is not necessary. We can upgrade to a newer z/OS security library that includes support for GSK_SESSION_RESET_CALLBACK or for disabling SSL client renegotiation.

• SSL0197I: Configured security library to reject insecure SSL client renegotiation.

  • Reason: The security library has been successfully configured to reject client renegotiation.

  • Solution: This informational message does not indicate a failure, but it reports a particular configuration setting. An action is not necessary.

• SSL0198I: System is running without a security library capable of directly rejecting insecure SSL client renegotiation. Aborting HTTPS requests that span SSL sessions

  • Reason: While the server attempted to disable client renegotiation, it was determined that the security library on this system does not support directly rejecting SSL client renegotiation. It will be configured to use an alternate callback mechanism.

  • Solution: This informational message does not indicate a failure, but it reports a configuration condition. An action is not necessary. For z/OS systems, upgrade to a newer security library that includes support for GSK_SESSION_RESET_CALLBACK or for disabling SSL client renegotiation. For distributed systems, upgrade to GSKit Version 7.0.4.27 or later.

Related

• Secure Sockets Layer (SSL) directives