The topic lists the system Secure Sockets Layer (SSL) return codes for the most common problems that might occur during SSL initialization or SSL handshake.
You need to do these steps before using the following return code tables:
Return code | Description |
---|---|
-2 | No system certificate is available for SSL processing.
The Telnet server successfully initializes SSL, but the SSL handshake fails.
There is no signon panel in the SSL Telnet client window. The QIBM_QTV_TELNET_SERVER application does not have an assigned system certificate.
View the system certificate and check that the value Yes shows in the Certificate assigned column. If the value is No, create a system certificate for the QIBM_QTV_TELNET_SERVER application. |
-4 | The CA certificate or system certificate is bad.
The system certificate is not private or trusted. The Private Key and Trusted fields on the server certificate are not correct. The Telnet SSL client window has no signon panel.
Add CA information in your Telnet SSL client. If you are using iSeries™ Access for Windows® as your Telnet SSL client, see Manage public Internet certificates for SSL communication sessions. Otherwise, see Obtain a copy of the private CA certificate for instructions. |
-16 | The peer system is not recognized. This problem is the most common problem when a Telnet SSL client first attempts to establish an SSL session. The Telnet SSL client window has no sign-on panel.
Add CA certificate information to your Telnet SSL client. |
-18 | The system certificate is self-signed and server is using it as a CA certificate. The system certificate assigned to the QIBM_QTV_TELNET_SERVER application must be trusted, signed by a certificate authority, and used within the valid time period. You need to create a CA certificate and associate it with the system certificate. The Telnet server does not initialize SSL if the system certificate is incorrect.
Create a CA certificate and associate it with the system certificate. |
-23 | The system certificate is not signed by a trusted certificate authority. The system certificate assigned to the QIBM_QTV_TELNET_SERVER application must be trusted, signed by a certificate authority, and used within the valid time period.
Change the CA certificate to Trusted. For instructions, see Manage applications in DCM. |
-24 | The valid time period of the CA certificate has expired.
You are using an out-of-date certificate. The Telnet SSL client window has no sign-on panel.
Renew the CA certificate that was used to build the system certificate. |
-93 | SSL is not available for use. Telnet SSL clients cannot connect to a host because there is no active SSL listener.
Install software requirements to support Telnet SSL and to manage certificates. For instructions, see Check system status. |
Other SSL return codes
For the SSL return codes in the following table, use DCM to verify that the digital certificates meet these requirements:
Return code | Description |
---|---|
-1 | No ciphers are available or specified |
-6 | i5/OS® operating system does not support the certificate type |
-10 | An error occurred in SSL processing. In the job log, check the CPExxxx message where xxxx is the sockets error value |
-11 | SSL received a badly formatted message |
-12 | A bad message authentication code was received |
-13 | Operation is not supported by SSL |
-14 | The certificate signature is not valid |
-15 | The certificate is bad |
-17 | Permission was denied to access object |
-20 | Unable to allocate storage required for SSL processing |
-21 | SSL detected a bad state in the SSL session |
-22 | The socket used by the SSL connection has been closed |
-25 | The date in the certificate is in a bad format |
-26 | The key length is bad for export |
-90 | Not a key ring file |
-91 | The password in the key database has expired |
-92 | Certificate is not valid or is rejected by the exit program |
-94 | SSL_Init() was not previously invoked for the job |
-95 | There is no key ring for SSL initialization |
-96 | SSL is not enabled |
-97 | The specified cipher suite is not valid |
-98 | The SSL session ended |
-99 | An unknown or unexpected error occurred during SSL processing |
-1010 | Double encryption is not allowed when using AC2 and IP-SEC |