Skip to Main Content
IBM Z Hardware and Operating Systems Ideas Portal


This is the public portal for all IBM Z Hardware and Operating System related offerings. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Not under consideration
Workspace z/OS
Created by Guest
Created on Apr 2, 2021

EZD1326I is too vague a message

We started getting this error in our logs
NSSD: EZD1326I Request type NSS_VerifySignatureReqToSrv with correlator ID 0000000000000D7D0000000000000000 from from client NSSCERT failed - return code EINVAL reason code NSSRsnSaNotInCertLife .

While the reason for the error is clear the remedy requires lengthy work of going through very verbose logs trying to fine which SA is causing this issues

Idea priority Low
  • Guest
    Reply
    |
    May 17, 2021

    Yes, message EZD1326I is rather general, but that is because it can be issued in a variety of situations. Because of that, it does not contain details for specific error situations. However, we do document that the request correlator in the message can often be used to locate further error information in the related client (IKE) messages. Here is that documentation in the Problem Determination description for EZD1326I in the IP Messages Volume 2 manual: https://www.ibm.com/docs/en/zos/2.4.0?topic=messages-ezd1326i

    "The NSS client might provide additional diagnostic messages containing the same correlator as message EZD1326I. If the administrator of the NSS client can provide diagnostic information, the matching correlator can be used to locate the specific failure condition in the NSS server log file."

    In your case, the NSSD and IKED error messages are written to the same error log which contained the EZD1326I message as well as an IKED EZD1038I with the same correlator value (showing they are related messages). The text of EZD1038I is "Remote security endpoint's certificate is not valid because the security association's lifetime is not in the certificate's lifetime." This is a very specific error message, and the remote CN of the remote IKE certificate at issue is provided in the same message block.

    It sounds like you eventually found the EZD1038I message, but it also sounds like you were unaware of the connection between the messages and the navigation suggested in the above message documentation. If you had used the documented approach to searching the log, it would have quickly led to the specific detail required to diagnose the error.

    Given the fact that all this detail is already provided across related messages (as indicated by the common correlator value), this is not likely to be implemented and therefore this RFE is being rejected.