IBM Support

IT21420: TLS CONNECTION WITH TLS1.2 FROM SSP TO IBM STERLING B2B INTEGRATOR CDSA DOES NOT WORK WHEN SSP IS SET TO USE SSL-TLS1.2

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • If a remote Connect:Direct PNODE configures TLS 1.0, 1.1 and
    1.2 and attempts to connect to the CDSA, (which is configured
    for TLS 1.2) the session fails.
    
    Instead of choosing TLS 1.2 (which is the
    highest configured protocol in common between the PNODE and the
    CDSA),the CDSA fails as though the PNODE only supports
    TLS 1.0 (the CDSA ignores the PNODE's support for TLS 1.2).
    
    
    This is because the CDSA does not support the extended
    Secure+protocol feature.
    Consequently, only the lowest protocol in the range is
    recognized by the CDSA.
    The extended protocol feature was introduced in the other
    Connect:Direct platforms when support for TLS 1.2 was released.
    
    The CDSA needs to support multiple Secure+ protocol selection
    to so that it is able to successfully connect in the scenario
    above.
    

Local fix

  • STRRTC - 523729
    SB/SB
    
    Circumvention:
    NONE
    

Problem summary

  • Users Affected:
    B2B Integrator Users V5.2
    
    Problem Description:
    TLS connection with TLS 1.2 from SSP to IBM Sterling B2B
    Integrator CDSA does not work when SSP is set to use SSL-TLS 1.2
    
    
    Platforms Affected:
    All
    

Problem conclusion

  • Resolution Summary:
    The CDSA now supports the extended Secure+ protocol feature.
    Users can now configure more than one security protocol for a
    session.  Session negotiation will select the highest protocol
    in common.  In addtion, a new "Connection Policy" option is
    available for handling inbound secure connections.  The policy
    may be set to "Restricted" (default) or "Open."  If
    "Restricted" the CDSA requires the remote PNODE must specify at
    least one of the securtiy protocols at the CDSA in order to
    connect.  If "Open" the CDSA will allow a PNODE to connect
    using any TLS protocol.
    
    Delivered In:
    5020602_5
    5020603_3
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT21420

  • Reported component name

    STR B2B INTEGRA

  • Reported component ID

    5725D0600

  • Reported release

    526

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-07-12

  • Closed date

    2017-09-06

  • Last modified date

    2017-11-15

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    STR B2B INTEGRA

  • Fixed component ID

    5725D0600

Applicable component levels

  • R526 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS3JSW","label":"IBM Sterling B2B Integrator"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.2.6","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}}]

Document Information

Modified date:
15 November 2017