A fix is available
APAR status
Closed as program error.
Error description
If client sends TLSv1.2 request, then CICS TG rejects the request with javax.net.ssl.SSLHandshakeException and resulting in an SSL handshake failure.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of CICS TG for z/OS. * **************************************************************** * PROBLEM DESCRIPTION: If client sends TLSv1.2 request, then * * CICS TG rejects the request with * * javax.net.ssl.SSLHandshakeException * * and resulting in an SSL handshake * * failure. * **************************************************************** * RECOMMENDATION: As a workaround * * Set either of the following options in * * CTGSTART_OPTS to enable TLSv1.2. * * i. -j-Dcom.ibm.jsse2.sp800-131=strict * * ii. -j-Dcom.ibm.jsse2.overrideDefaultTLS * * =true -j-Dcom.ibm.jsse2.sp800-131=transition * **************************************************************** By default the CICS TG was creating the SSLContext with SSL_TLS which enables SSL V3.0 and TLS 1.0. Hence the CICS TG could not accept TLSv1.2 request. The behavior of CICS TG was as follows A. By default TLSV1.2 was not supported by the CICS TG. CICS TG was only allowing SSLv3, TLSv1.0 B. If we set com.ibm.jsse2.sp800-131=strict, then only TLSv1.2 is supported with sp800-131A compliance. C. If we set com.ibm.jsse2.sp800-131=transition, then TLSv1.0 is set. D. If we set com.ibm.jsse2.sp800-131=transition and com.ibm.jsse2.overrideDefaultTLS=true, then TLSv1.0, TLSv1.1 and TLSv1.2
Problem conclusion
CICS TG is changed to add default support for TLSv1.2 requests and provided the com.ibm.jsse2.overrideDefaultProtocol support as mentioned in https://ibm.biz/Bdi5rr
Temporary fix
Comments
APAR Information
APAR number
PI82515
Reported component name
CTG V9 FOR Z/OS
Reported component ID
5655Y2000
Reported release
910
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-06-02
Closed date
2017-07-17
Last modified date
2017-08-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI48827 UI48828 PI88428
Modules/Macros
CTG00199 CTG00201 CTG00204 CTG00974
Fix information
Fixed component name
CTG V9 FOR Z/OS
Fixed component ID
5655Y2000
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.1","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMJ2","label":"CICS Transaction Gateway"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]
Document Information
Modified date:
09 August 2024