KB Article #177274
SAF PKI: get certificate not found: USERCID=NULLCERT (chain_size=0) and other errors
Problem
PKI_TYPE=SYSTEM
SAF PKI (RACF RING) for certificates
certificate not found: USERCID=NULLCERT (chain_size=0)
CFTY02Z >> CTX=200007 IRRSDL00(DataGetFirst): SAF.RC=(8), RACF.RC/RS=(8,48) Ring/owner=(CFTRING,CFT)
Resolution
For message:
CFTY02Z >> CTX=200007 IRRSDL00(DataGetFirst): SAF.RC=(8), RACF.RC/RS=(8,48) Ring/owner=(CFTRING,CFT)
SAF / RACF RC=8 Reason 48 stands for
An output area is not long enough. One or more of the following input length fields were too small: Certificate_length, Private_key_length, or Subjects_DN_length. The length field(s) returned contain the amount of storage needed for the service to successfully return data.
CFT have a limited length to 256 for the field subjects_dn_length
The length returned by RACF interface for that certificate is longer.
In the certificate, the full DN length is longer than the buffer.
It explain the error code and the output area for the DN, limited to max 256, is then too short to receive the DN of that certificate.
Max length into CFT V 3.1.3:
certificate_length = sizeof(dataget_certificate); --> 16000
cert_user_id_length = 8;
private_key_length = sizeof(dataget_private_key); --> 16000
label_length = 256;
subjects_dn_length = 256;
record_id_length = 256;
Note: It will be enhanced in CFT version 3.2 so the related fields length match the latest RFC
SGTRACE 128 can be used to help in troubleshooting such an issue as it provide the return length of fields when retrieving certificates
Workaround: get the certificate rebuilt with a shorter DN
Other: Transfer CFT supports natively up to 4096b RSA key sizes