Transport Layer Security (TLS) return codes

Transport Layer Security (TLS) return codes

IBM MQ can use TLS with the various communication protocols. Use this topic to identify the error codes that can be returned by TLS.

The table in this appendix documents the return codes, in decimal form, from the TLS that can be returned in messages from the distributed queuing component.

If the return code is not listed, or if we want more information, see the IBM Global Security Kit return codes here: ../../SSPREK_6.1.0/com.ibm.itame.doc_6.1/am61_messages25.htm.

Return code (decimal) Explanation

1 Handle is not valid.

3 An internal error has occurred.

4 Insufficient storage is available

5 Handle is in the incorrect state.

6 Key label is not found.

7 No certificates available.

8 Certificate validation error.

9 Cryptographic processing error.

10 ASN processing error.

11 LDAP processing error.

12 An unexpected error has occurred.

102 Error detected while reading key database or SAF key ring.

103 Incorrect key database record format.

106 Incorrect key database password.

109 No certificate authority certificates.

201 No key database password supplied.

202 Error detected while opening the key database.

203 Unable to generate temporary key pair

204 Key database password is expired.

302 Connection is active.

401 Certificate is expired or is not valid yet.

402 No TLS cipher specifications.

403 No certificate received from partner.

405 Certificate format is not supported.

406 Error while reading or writing data.

407 Key label does not exist.

408 Key database password is not correct.

410 TLS message format is incorrect.

411 Message authentication code is incorrect.

412 TLS protocol or certificate type is not supported.

413 Certificate signature is incorrect.

414 Certificate is not valid.

415 TLS protocol violation.

416 Permission denied.

417 Self-signed certificate cannot be validated.

420 Socket closed by remote partner.

421 SSL 2.0 cipher is not valid.

422 SSL 3.0 cipher is not valid.

427 LDAP is not available.

428 Key entry does not contain a private key.

429 SSL 2.0 header is not valid.

431 Certificate is revoked.

432 Session renegotiation is not allowed.

433 Key exceeds allowable export size.

434 Certificate key is not compatible with cipher suite.

435 Certificate authority is unknown.

436 Certificate revocation list cannot be processed.

437 Connection closed.

438 Internal error reported by remote partner.

439 Unknown alert received from remote partner.

501 Buffer size is not valid.

502 Socket request would block.

503 Socket read request would block.

504 Socket write request would block.

505 Record overflow.

601 Protocol is not TLS 1.

602 Function identifier is not valid.

701 Attribute identifier is not valid.

702 The attribute has a negative length, which is invalid.

703 The enumeration value is invalid for the specified enumeration type.

704 Invalid parameter list for replacing the SID cache routines.

705 The value is not a valid number.

706 Conflicting parameters were set for additional certificate validation

707 The AES cryptographic algorithm is not supported.

708 The PEERID does not have the correct length.

1501 GSK_SC_OK

1502 GSK_SC_CANCEL

1601 The trace started successfully.

1602 The trace stopped successfully.

1603 No trace file was previously started so it cannot be stopped.

1604 Trace file already started so it cannot be started again.

1605 Trace file cannot be opened. The first parameter of gsk_start_trace() must be a valid full path filename.

In some cases, the secure sockets library reports a certificate validation error in an AMQ9633 error message. Table 2 lists the certificate validation errors that can be returned in messages from the distributed queuing component.

Return code (decimal) Explanation

575001 Internal error

575002 ASN error due to a malformed certificate

575003 Cryptographic error

575004 Key database error

575005 Directory error

575006 Invalid implementation library

575008 No appropriate validator

575009 The root CA is not trusted

575010 No certificate chain was built

575011 Digital signature algorithm mismatch

575012 Digital signature mismatch

575013 X.509 version does not allow Key IDs

575014 X.509 version does not allow extensions

575015 Unknown X.509 certificate version

575016 The certificate validity range is invalid

575017 The certificate is not yet valid

575018 The certificate has expired

575019 The certificate contains unknown critical extensions

575020 The certificate contains duplicate extensions

575021 The issuers directory name does not match the issuer's issuer

575022 The Authority Key ID serial number value does not match the serial number of the issuer

575023 The Authority Key ID and Subject Key ID do not match

575024 Unrecognized issuer alternative name

575025 The certificate Basic Constraints forbid use as a CA

575026 The certificate has a non-zero Basic Constraints path length but is not a CA

575027 The certificate Basic Constraints maximum path length was exceeded

575028 The certificate is not permitted to sign other certificates

575029 The certificate is not signed by a CA

575030 Unrecognized Subject Alternative Name

575031 The certificate chain is invalid

575032 The certificate is revoked

575033 Unrecognized CRL distribution point

575034 Name chaining failed

575035 Certificate is not in a chain

575036 The CRL is not yet valid

575037 The CRL has expired

575038 The certificate version does not allow critical extensions

575039 Unknown CRL distribution points

575040 No CRLs for CRL distribution points

575041 Indirect CRLs are not supported

575042 Missing issuing CRL distribution point name

575043 Distribution points do not match

575044 No available CRL data source

575045 CA Subject name is null

575046 Distinguished names do not chain

575047 Missing Subject Alternative Name

575048 Unique ID mismatch

575049 Name not permitted

575050 Name excluded

575051 CA certificate is missing Critical Basic Constraints

575052 Name constraints are not critical

575053 Name constraints minimum subtree value if set is not zero

575054 Name constraints maximum subtree value if set is not allowed

575055 Unsupported name constraint

575056 Empty policy constraints

575057 Bad certificate policies

575058 Certificate policies not acceptable

575059 Bad acceptable certificate policies

575060 Certificate policy mappings are critical

575061 Revocation status could not be determined

575062 Extended key usage error

575063 Unknown OCSP version

575064 Unknown OCSP response

575065 Bad OCSP key usage extension

575066 Bad OCSP nonce

575067 Missing OCSP nonce

575068 No OCSP client available

Parent topic: Reason codes and exceptions

Related reference

API completion and reason codes
PCF reason codes
WCF custom channel exceptions

Related information

Diagnostic messages: AMQ4000-9999
IBM MQ for z/OS messages, completion, and reason codes

Last updated: 2020-10-04

Return code (decimal)	Explanation
1	Handle is not valid.
3	An internal error has occurred.
4	Insufficient storage is available
5	Handle is in the incorrect state.
6	Key label is not found.
7	No certificates available.
8	Certificate validation error.
9	Cryptographic processing error.
10	ASN processing error.
11	LDAP processing error.
12	An unexpected error has occurred.
102	Error detected while reading key database or SAF key ring.
103	Incorrect key database record format.
106	Incorrect key database password.
109	No certificate authority certificates.
201	No key database password supplied.
202	Error detected while opening the key database.
203	Unable to generate temporary key pair
204	Key database password is expired.
302	Connection is active.
401	Certificate is expired or is not valid yet.
402	No TLS cipher specifications.
403	No certificate received from partner.
405	Certificate format is not supported.
406	Error while reading or writing data.
407	Key label does not exist.
408	Key database password is not correct.
410	TLS message format is incorrect.
411	Message authentication code is incorrect.
412	TLS protocol or certificate type is not supported.
413	Certificate signature is incorrect.
414	Certificate is not valid.
415	TLS protocol violation.
416	Permission denied.
417	Self-signed certificate cannot be validated.
420	Socket closed by remote partner.
421	SSL 2.0 cipher is not valid.
422	SSL 3.0 cipher is not valid.
427	LDAP is not available.
428	Key entry does not contain a private key.
429	SSL 2.0 header is not valid.
431	Certificate is revoked.
432	Session renegotiation is not allowed.
433	Key exceeds allowable export size.
434	Certificate key is not compatible with cipher suite.
435	Certificate authority is unknown.
436	Certificate revocation list cannot be processed.
437	Connection closed.
438	Internal error reported by remote partner.
439	Unknown alert received from remote partner.
501	Buffer size is not valid.
502	Socket request would block.
503	Socket read request would block.
504	Socket write request would block.
505	Record overflow.
601	Protocol is not TLS 1.
602	Function identifier is not valid.
701	Attribute identifier is not valid.
702	The attribute has a negative length, which is invalid.
703	The enumeration value is invalid for the specified enumeration type.
704	Invalid parameter list for replacing the SID cache routines.
705	The value is not a valid number.
706	Conflicting parameters were set for additional certificate validation
707	The AES cryptographic algorithm is not supported.
708	The PEERID does not have the correct length.
1501	GSK_SC_OK
1502	GSK_SC_CANCEL
1601	The trace started successfully.
1602	The trace stopped successfully.
1603	No trace file was previously started so it cannot be stopped.
1604	Trace file already started so it cannot be started again.
1605	Trace file cannot be opened. The first parameter of gsk_start_trace() must be a valid full path filename.

Return code (decimal)	Explanation
575001	Internal error
575002	ASN error due to a malformed certificate
575003	Cryptographic error
575004	Key database error
575005	Directory error
575006	Invalid implementation library
575008	No appropriate validator
575009	The root CA is not trusted
575010	No certificate chain was built
575011	Digital signature algorithm mismatch
575012	Digital signature mismatch
575013	X.509 version does not allow Key IDs
575014	X.509 version does not allow extensions
575015	Unknown X.509 certificate version
575016	The certificate validity range is invalid
575017	The certificate is not yet valid
575018	The certificate has expired
575019	The certificate contains unknown critical extensions
575020	The certificate contains duplicate extensions
575021	The issuers directory name does not match the issuer's issuer
575022	The Authority Key ID serial number value does not match the serial number of the issuer
575023	The Authority Key ID and Subject Key ID do not match
575024	Unrecognized issuer alternative name
575025	The certificate Basic Constraints forbid use as a CA
575026	The certificate has a non-zero Basic Constraints path length but is not a CA
575027	The certificate Basic Constraints maximum path length was exceeded
575028	The certificate is not permitted to sign other certificates
575029	The certificate is not signed by a CA
575030	Unrecognized Subject Alternative Name
575031	The certificate chain is invalid
575032	The certificate is revoked
575033	Unrecognized CRL distribution point
575034	Name chaining failed
575035	Certificate is not in a chain
575036	The CRL is not yet valid
575037	The CRL has expired
575038	The certificate version does not allow critical extensions
575039	Unknown CRL distribution points
575040	No CRLs for CRL distribution points
575041	Indirect CRLs are not supported
575042	Missing issuing CRL distribution point name
575043	Distribution points do not match
575044	No available CRL data source
575045	CA Subject name is null
575046	Distinguished names do not chain
575047	Missing Subject Alternative Name
575048	Unique ID mismatch
575049	Name not permitted
575050	Name excluded
575051	CA certificate is missing Critical Basic Constraints
575052	Name constraints are not critical
575053	Name constraints minimum subtree value if set is not zero
575054	Name constraints maximum subtree value if set is not allowed
575055	Unsupported name constraint
575056	Empty policy constraints
575057	Bad certificate policies
575058	Certificate policies not acceptable
575059	Bad acceptable certificate policies
575060	Certificate policy mappings are critical
575061	Revocation status could not be determined
575062	Extended key usage error
575063	Unknown OCSP version
575064	Unknown OCSP response
575065	Bad OCSP key usage extension
575066	Bad OCSP nonce
575067	Missing OCSP nonce
575068	No OCSP client available