Troubleshooting
Problem
User receives MSGSSL004 and or MSGSSL007 when trying to connect to the iSeries with SSL enabled.
Symptom
MSGSSL004 - An error was encountered during the handshake phase of establishing a secure connection.(Received fatal alert: handshake_failure)
MSGSSL007 - An error occurred with an SSL certificate. (Certificates does not conform to algorithm constraints)
Cause
The current SSL configuration does not meet requirements. The new version of Oracles JRE implemented new security policies that prohibit the use of a certificate using MD5 or lower and RSA cipher specs. This was done because these ciphers are considered not safe and can be cracked, exposing your data.
Environment
Access Client Solutions
Java 8
Diagnosing The Problem
Determine which part of the SSL configuration is not meeting requirements.
Resolving The Problem
The current Local Certificate Authority or Server Certificate assigned to the IBM i Host Servers and Telnet Server may be using a cipher spec that is no longer supported by Java.
To confirm the exact cause, use the following documentation to gather a TRCCNN of a recreate. IBM i Support can use this trace to locate the exact cause.
1. Instructions for gathering TRCCNN: http://www-01.ibm.com/support/docview.wss?uid=nas8N1016231
2. Along with the TRCCNN, generate and package the ACS service logs with the following steps:
- After the error prompts, select the option to Generate Service logs. Click OK through the Prompts.
- Navigate to the Access Client Solutions main interface, select Package Service Logs from the Tools menu. This may take a minute.
- Wait for the MSGGEN002- Function completed successfully and take the option to "Open Target Directory"
- Submit the resulting .zip folder along with the TRCCNN QSYSPRT.txt file.
To correctly resolve this issue, the Local Certificate Authority or the Server Certificate will need to be renewed using a higher cipher spec within Digital Certificate Manager. This process is intrusive and may require reboot of the Telnet Server and Host servers.
To confirm the exact cause, use the following documentation to gather a TRCCNN of a recreate. IBM i Support can use this trace to locate the exact cause.
1. Instructions for gathering TRCCNN: http://www-01.ibm.com/support/docview.wss?uid=nas8N1016231
2. Along with the TRCCNN, generate and package the ACS service logs with the following steps:
- After the error prompts, select the option to Generate Service logs. Click OK through the Prompts.
- Navigate to the Access Client Solutions main interface, select Package Service Logs from the Tools menu. This may take a minute.
- Wait for the MSGGEN002- Function completed successfully and take the option to "Open Target Directory"
- Submit the resulting .zip folder along with the TRCCNN QSYSPRT.txt file.
To correctly resolve this issue, the Local Certificate Authority or the Server Certificate will need to be renewed using a higher cipher spec within Digital Certificate Manager. This process is intrusive and may require reboot of the Telnet Server and Host servers.
[{"Product":{"code":"SWG60","label":"IBM i"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Component":"Access Client Solutions","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB68","label":"Power HW"}}]
Was this topic helpful?
Document Information
Modified date:
18 November 2024
UID
nas8N1022335