Problem

PKI_TYPE=SYSTEM

SAF PKI (RACF RING) for certificates

certificate not found: USERCID=NULLCERT (chain_size=0)

CFTY02Z >> CTX=200007 IRRSDL00(DataGetFirst): SAF.RC=(8), RACF.RC/RS=(8,48) Ring/owner=(CFTRING,CFT)

Resolution

For message:
CFTY02Z >> CTX=200007 IRRSDL00(DataGetFirst): SAF.RC=(8), RACF.RC/RS=(8,48) Ring/owner=(CFTRING,CFT)

SAF / RACF RC=8 Reason 48 stands for

An output area is not long enough. One or more of the following input length fields were too small: Certificate_length, Private_key_length, or Subjects_DN_length. The length field(s) returned contain the amount of storage needed for the service to successfully return data.

CFT have a limited length to 256 for the field subjects_dn_length
The length returned by RACF interface for that certificate is longer.

In the certificate, the full DN length is longer than the buffer.
It explain the error code and the output area for the DN, limited to max 256, is then too short to receive the DN of that certificate.

Max length into CFT V 3.1.3:

certificate_length = sizeof(dataget_certificate); --> 16000
cert_user_id_length = 8;
private_key_length = sizeof(dataget_private_key); --> 16000
label_length = 256;
subjects_dn_length = 256;
record_id_length = 256;

Note: It will be enhanced in CFT version 3.2 so the related fields length match the latest RFC

SGTRACE 128 can be used to help in troubleshooting such an issue as it provide the return length of fields when retrieving certificates

Workaround: get the certificate rebuilt with a shorter DN

Other: Transfer CFT supports natively up to 4096b RSA key sizes