Transport Layer Security (TLS) return codes
IBM MQ can use TLS with the various communication protocols. Use this topic to identify the error codes that can be returned by TLS.
The table in this appendix documents the return codes, in decimal form, from the TLS that can be returned in messages from the distributed queuing component.
If the return code is not listed, or if you want more information, see the IBM Global Security Kit return codes here: ../../SSPREK_6.1.0/com.ibm.itame.doc_6.1/am61_messages25.htm.
Table 1. TLS return codes Return code (decimal) Explanation 1 Handle is not valid. 3 An internal error has occurred. 4 Insufficient storage is available 5 Handle is in the incorrect state. 6 Key label is not found. 7 No certificates available. 8 Certificate validation error. 9 Cryptographic processing error. 10 ASN processing error. 11 LDAP processing error. 12 An unexpected error has occurred. 102 Error detected while reading key database or SAF key ring. 103 Incorrect key database record format. 106 Incorrect key database password. 109 No certificate authority certificates. 201 No key database password supplied. 202 Error detected while opening the key database. 203 Unable to generate temporary key pair 204 Key database password is expired. 302 Connection is active. 401 Certificate is expired or is not valid yet. 402 No TLS cipher specifications. 403 No certificate received from partner. 405 Certificate format is not supported. 406 Error while reading or writing data. 407 Key label does not exist. 408 Key database password is not correct. 410 TLS message format is incorrect. 411 Message authentication code is incorrect. 412 TLS protocol or certificate type is not supported. 413 Certificate signature is incorrect. 414 Certificate is not valid. 415 TLS protocol violation. 416 Permission denied. 417 Self-signed certificate cannot be validated. 420 Socket closed by remote partner. 421 SSL V2 cipher is not valid. 422 SSL V3 cipher is not valid. 427 LDAP is not available. 428 Key entry does not contain a private key. 429 SSL V2 header is not valid. 431 Certificate is revoked. 432 Session renegotiation is not allowed. 433 Key exceeds allowable export size. 434 Certificate key is not compatible with cipher suite. 435 Certificate authority is unknown. 436 Certificate revocation list cannot be processed. 437 Connection closed. 438 Internal error reported by remote partner. 439 Unknown alert received from remote partner. 501 Buffer size is not valid. 502 Socket request would block. 503 Socket read request would block. 504 Socket write request would block. 505 Record overflow. 601 Protocol is not TLS V1. 602 Function identifier is not valid. 701 Attribute identifier is not valid. 702 The attribute has a negative length, which is invalid. 703 The enumeration value is invalid for the specified enumeration type. 704 Invalid parameter list for replacing the SID cache routines. 705 The value is not a valid number. 706 Conflicting parameters were set for additional certificate validation 707 The AES cryptographic algorithm is not supported. 708 The PEERID does not have the correct length. 1501 GSK_SC_OK 1502 GSK_SC_CANCEL 1601 The trace started successfully. 1602 The trace stopped successfully. 1603 No trace file was previously started so it cannot be stopped. 1604 Trace file already started so it cannot be started again. 1605 Trace file cannot be opened. The first parameter of gsk_start_trace() must be a valid full path filename. In some cases, the secure sockets library reports a certificate validation error in an AMQ9633 error message. Table 2 lists the certificate validation errors that can be returned in messages from the distributed queuing component.
Table 2. Certificate validation errors. A table listing return codes and explanations for certificate validation errors that can be returned in messages from the distributed queuing component.
Return code (decimal) Explanation 575001 Internal error 575002 ASN error due to a malformed certificate 575003 Cryptographic error 575004 Key database error 575005 Directory error 575006 Invalid implementation library 575008 No appropriate validator 575009 The root CA is not trusted 575010 No certificate chain was built 575011 Digital signature algorithm mismatch 575012 Digital signature mismatch 575013 X.509 version does not allow Key IDs 575014 X.509 version does not allow extensions 575015 Unknown X.509 certificate version 575016 The certificate validity range is invalid 575017 The certificate is not yet valid 575018 The certificate has expired 575019 The certificate contains unknown critical extensions 575020 The certificate contains duplicate extensions 575021 The issuers directory name does not match the issuer's issuer 575022 The Authority Key ID serial number value does not match the serial number of the issuer 575023 The Authority Key ID and Subject Key ID do not match 575024 Unrecognized issuer alternative name 575025 The certificate Basic Constraints forbid use as a CA 575026 The certificate has a non-zero Basic Constraints path length but is not a CA 575027 The certificate Basic Constraints maximum path length was exceeded 575028 The certificate is not permitted to sign other certificates 575029 The certificate is not signed by a CA 575030 Unrecognized Subject Alternative Name 575031 The certificate chain is invalid 575032 The certificate is revoked 575033 Unrecognized CRL distribution point 575034 Name chaining failed 575035 Certificate is not in a chain 575036 The CRL is not yet valid 575037 The CRL has expired 575038 The certificate version does not allow critical extensions 575039 Unknown CRL distribution points 575040 No CRLs for CRL distribution points 575041 Indirect CRLs are not supported 575042 Missing issuing CRL distribution point name 575043 Distribution points do not match 575044 No available CRL data source 575045 CA Subject name is null 575046 Distinguished names do not chain 575047 Missing Subject Alternative Name 575048 Unique ID mismatch 575049 Name not permitted 575050 Name excluded 575051 CA certificate is missing Critical Basic Constraints 575052 Name constraints are not critical 575053 Name constraints minimum subtree value if set is not zero 575054 Name constraints maximum subtree value if set is not allowed 575055 Unsupported name constraint 575056 Empty policy constraints 575057 Bad certificate policies 575058 Certificate policies not acceptable 575059 Bad acceptable certificate policies 575060 Certificate policy mappings are critical 575061 Revocation status could not be determined 575062 Extended key usage error 575063 Unknown OCSP version 575064 Unknown OCSP response 575065 Bad OCSP key usage extension 575066 Bad OCSP nonce 575067 Missing OCSP nonce 575068 No OCSP client available