IJ06175: CICS EXPLORER - ZOS FTP CONNECTION NOT NEGOTIATING TO MOST SECURE SETTING.

IBM CICSEX-5.4.0-FP0009
IBM CICSEX-5.4.0-FP00010
IBM CICSEX-5.4.0-FP00011
IBM CICSEX-5.4.0-FP00012
IBM CICSEX-5.4.0-FP00013
IBM CICSEX-5.4.0-FP00014
IBM CICSEX-5.4.0-FP00015
IBM CICSEX-5.4.0-FP00016
IBM CICSEX-5.4.0-FP00017

APAR status

• Closed as program error.

Error description

• TLSv1.2 is rolling out as the new Standard. One of our z/OS
  systems is configured for TLSv1.2 and on the Preferences
  Explorer Certificate Management screen we are taking the
  "Default" for Security Socket Protocol.
  Per CICS Explorer Help:
  Leave the Secure socket protocol set to default unless
  instructed by your network administrator. When set to default,
  CICS Explorer automatically negotiates the most secure
  connection with the server.
  When we ran testing and a system trace, the connection only
  negotiated to TLSv1, Even though it looks like CICS Explorer
  v5.4.4 Supports TLSv1.2 and the zOS system is configured for
  TLSv1.2.
  Additional Symptom(s) Search Keyword(s): KIXREVCTC
  

Local fix

Problem summary

• When negotiating a TLS connection, CICS Explorer was not
  specific about which protocol was used and allowed the
  underlying infrastructure to decide. This could result in a
  TLSv1.1 connection even though TLSv1.2 was available.
  

Problem conclusion

• CICS Explorer now tries to negotiate a TLSv1.2 connection in the
  first instance.
  .
  This fix will be made available in Version 5.4.0.9 of the CICS
  Explorer.
  .
  For installation instructions please see:
  Ordering maintenance for IBM CICS Explorer and CICS Explorer
  plug-ins
  http://www.ibm.com/support/docview.wss?uid=swg21380083
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Modules/Macros

•    EXPLORER
  

Fix information

• Fixed component name

  CICS EXPLORER V

• Fixed component ID

  5655Y0401

Applicable component levels