Problem

PKITYPE=SYSTEM

New certificate inserted into the RACF RING

Error:
CFTY13E CTX=251551 SSL Handshake local error ÝHANDSHAKE_FAILURE~ CR=51 (Decrypt error: block type is not 01)
CFTY30E CTX=231552 SSL Handshake remote error ÝHANDSHAKE_FAILURE~ CR=51 (Decrypt error: tlsv1 alert decrypt

Resolution

Usually, this error is related to an issue with the certificate itself. Check in particular the signature.

Needed files to troubleshot such an issue:

Ensure the certificate is inserted with the PCICC attribute (if not the case already)

Enable the CFTSSL trace (trace=255)

Enable the traces using the environment variables below:

- to be set in UPARM(CNFENV)

• SSLW_TRACE_LEVEL=5
• XTRACE_CFT_TSSL_LEVEL=5

Do a transfer of a small file and then collect the files below:

- CFTEXT
- CFT LOG
- SGTRACE (the full CFT sysout will do)