Fixes are available
APAR status
Closed as program error.
Error description
If client sends TLSv1.2 request, then CICS TG rejects the request with javax.net.ssl.SSLHandshakeException and resulting in an SSL handshake failure.
Local fix
Problem summary
By default the CICS TG was creating the SSLContext with SSL_TLS, which enables SSL V3.0 and TLS 1.0. Hence the CICS TG could not accept TLSv1.2 request. The behavior of CICS TG was as follows : A) By default TLSV1.2 was not supported by the CICS TG. CICS TG was only allowing SSLv3, TLSv1.0. B) If com.ibm.jsse2.sp800-131=strict is set, then only TLSv1.2 is supported with sp800-131A compliance. C) If com.ibm.jsse2.sp800-131=transition is set, then TLSv1.0 is set D) If com.ibm.jsse2.sp800-131=transition and com.ibm.jsse2.overrideDefaultTLS=true are set, then TLSv1.0, TLSv1.1 and TLSv1.2.
Problem conclusion
CICS TG is changed to add default support for TLSv1.2 requests and provided the com.ibm.jsse2.overrideDefaultProtocol support as mentioned in https://ibm.biz/Bdi5rr
Temporary fix
Comments
APAR Information
APAR number
PI88428
Reported component name
CICS TRNS GATE
Reported component ID
5724I8103
Reported release
910
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-10-05
Closed date
2021-03-05
Last modified date
2021-03-05
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
CICS TRNS GATE
Fixed component ID
5724I8103
Applicable component levels
R910 PSY
UP
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMJ2","label":"CICS Transaction Gateway"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.1","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]
Document Information
Modified date:
18 October 2021