+

Search Tips | Advanced Search

Transport Layer Security (TLS) return codes

IBM MQ can use TLS with the various communication protocols. Use this topic to identify the error codes that can be returned by TLS.

The table in this appendix documents the return codes, in decimal form, from the TLS that can be returned in messages from the distributed queuing component.

If the return code is not listed, or if we want more information, see the IBM Global Security Kit return codes here: ../../SSPREK_6.1.0/com.ibm.itame.doc_6.1/am61_messages25.htm.

Return code (decimal) Explanation
1 Handle is not valid.
3 An internal error has occurred.
4 Insufficient storage is available
5 Handle is in the incorrect state.
6 Key label is not found.
7 No certificates available.
8 Certificate validation error.
9 Cryptographic processing error.
10 ASN processing error.
11 LDAP processing error.
12 An unexpected error has occurred.
102 Error detected while reading key database or SAF key ring.
103 Incorrect key database record format.
106 Incorrect key database password.
109 No certificate authority certificates.
201 No key database password supplied.
202 Error detected while opening the key database.
203 Unable to generate temporary key pair
204 Key database password is expired.
302 Connection is active.
401 Certificate is expired or is not valid yet.
402 No TLS cipher specifications.
403 No certificate received from partner.
405 Certificate format is not supported.
406 Error while reading or writing data.
407 Key label does not exist.
408 Key database password is not correct.
410 TLS message format is incorrect.
411 Message authentication code is incorrect.
412 TLS protocol or certificate type is not supported.
413 Certificate signature is incorrect.
414 Certificate is not valid.
415 TLS protocol violation.
416 Permission denied.
417 Self-signed certificate cannot be validated.
420 Socket closed by remote partner.
421 SSL 2.0 cipher is not valid.
422 SSL 3.0 cipher is not valid.
427 LDAP is not available.
428 Key entry does not contain a private key.
429 SSL 2.0 header is not valid.
431 Certificate is revoked.
432 Session renegotiation is not allowed.
433 Key exceeds allowable export size.
434 Certificate key is not compatible with cipher suite.
435 Certificate authority is unknown.
436 Certificate revocation list cannot be processed.
437 Connection closed.
438 Internal error reported by remote partner.
439 Unknown alert received from remote partner.
501 Buffer size is not valid.
502 Socket request would block.
503 Socket read request would block.
504 Socket write request would block.
505 Record overflow.
601 Protocol is not TLS 1.
602 Function identifier is not valid.
701 Attribute identifier is not valid.
702 The attribute has a negative length, which is invalid.
703 The enumeration value is invalid for the specified enumeration type.
704 Invalid parameter list for replacing the SID cache routines.
705 The value is not a valid number.
706 Conflicting parameters were set for additional certificate validation
707 The AES cryptographic algorithm is not supported.
708 The PEERID does not have the correct length.
1501 GSK_SC_OK
1502 GSK_SC_CANCEL
1601 The trace started successfully.
1602 The trace stopped successfully.
1603 No trace file was previously started so it cannot be stopped.
1604 Trace file already started so it cannot be started again.
1605 Trace file cannot be opened. The first parameter of gsk_start_trace() must be a valid full path filename.

In some cases, the secure sockets library reports a certificate validation error in an AMQ9633 error message. Table 2 lists the certificate validation errors that can be returned in messages from the distributed queuing component.

Return code (decimal) Explanation
575001 Internal error
575002 ASN error due to a malformed certificate
575003 Cryptographic error
575004 Key database error
575005 Directory error
575006 Invalid implementation library
575008 No appropriate validator
575009 The root CA is not trusted
575010 No certificate chain was built
575011 Digital signature algorithm mismatch
575012 Digital signature mismatch
575013 X.509 version does not allow Key IDs
575014 X.509 version does not allow extensions
575015 Unknown X.509 certificate version
575016 The certificate validity range is invalid
575017 The certificate is not yet valid
575018 The certificate has expired
575019 The certificate contains unknown critical extensions
575020 The certificate contains duplicate extensions
575021 The issuers directory name does not match the issuer's issuer
575022 The Authority Key ID serial number value does not match the serial number of the issuer
575023 The Authority Key ID and Subject Key ID do not match
575024 Unrecognized issuer alternative name
575025 The certificate Basic Constraints forbid use as a CA
575026 The certificate has a non-zero Basic Constraints path length but is not a CA
575027 The certificate Basic Constraints maximum path length was exceeded
575028 The certificate is not permitted to sign other certificates
575029 The certificate is not signed by a CA
575030 Unrecognized Subject Alternative Name
575031 The certificate chain is invalid
575032 The certificate is revoked
575033 Unrecognized CRL distribution point
575034 Name chaining failed
575035 Certificate is not in a chain
575036 The CRL is not yet valid
575037 The CRL has expired
575038 The certificate version does not allow critical extensions
575039 Unknown CRL distribution points
575040 No CRLs for CRL distribution points
575041 Indirect CRLs are not supported
575042 Missing issuing CRL distribution point name
575043 Distribution points do not match
575044 No available CRL data source
575045 CA Subject name is null
575046 Distinguished names do not chain
575047 Missing Subject Alternative Name
575048 Unique ID mismatch
575049 Name not permitted
575050 Name excluded
575051 CA certificate is missing Critical Basic Constraints
575052 Name constraints are not critical
575053 Name constraints minimum subtree value if set is not zero
575054 Name constraints maximum subtree value if set is not allowed
575055 Unsupported name constraint
575056 Empty policy constraints
575057 Bad certificate policies
575058 Certificate policies not acceptable
575059 Bad acceptable certificate policies
575060 Certificate policy mappings are critical
575061 Revocation status could not be determined
575062 Extended key usage error
575063 Unknown OCSP version
575064 Unknown OCSP response
575065 Bad OCSP key usage extension
575066 Bad OCSP nonce
575067 Missing OCSP nonce
575068 No OCSP client available
Parent topic: Reason codes and exceptions


Related reference


Related information

Last updated: 2020-10-04