IBM Support

OA50456: CKNSERVE SELF-CONNECT AT-TLS HANDSHAKE TIMEOUT

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When using AT-TLS protection with the zSecure Server
    (CKNSERVE), intermittent AT-TLS handshake timeouts may occur
    when establishing a self-connect connection.
    Example messages from the CKNSERVE log:
    10:48:38.577632 CKN006I 00 PROD established stream socket 29
    then 50 seconds later (5 x default HandshakeTimeout value):
    10:49:28.937171 CKN019I 08 BPX1AIO receive failed on socket 29
    RC 1121 connection reset by peer, reason 7665 0446x
    10:49:28.937514 CKN160I 00 Connection dropped socket 29 wait
    cancelled
    10:49:28.937975 CKN019I 08 BPX1AIO receive failed on socket 30
    RC 1121 connection reset by peer, reason 7665 7242x
    10:49:28.938114 CKN131I 04 System PROD not currently connected;
    call from CRMBMJ1  ASID 007A user CRMBMJ1
    
    Also Comms Server IP message EZD1287I with TTLS Error RC: 5004
    will be seen which means: "The first HandshakeTimeout interval
    expired"
    

Local fix

  • Amend the AT-TLS policy so that self-connect connections are
    not to be protected by TLS.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED: Users of zSecure Services for remote data    *
    *                 access (CKNSERVE) exploiting the software    *
    *                 using AT-TLS secured connections in          *
    *                 self-connect mode.                           *
    ****************************************************************
    * PROBLEM DESCRIPTION: zSecure Services for remote data access *
    *                      might stop operating in self-connect    *
    *                      mode using AT-TLS secured connections.  *
    ****************************************************************
    * RECOMMENDATION: Apply the PTF provided.                      *
    ****************************************************************
    When the zSecure Server (CKNSERVE) is used with AT-TLS secured
    connections in self-connect mode it might occasionally stop
    operating (timeout at the handshake phase of the communication).
    

Problem conclusion

  • zSecure Services for remote data access have been modified so
    that the server component (CKNSERVE) operates normally with
    AT-TLS secured connections in self-connect mode.
    

Temporary fix

Comments

APAR Information

  • APAR number

    OA50456

  • Reported component name

    ZSEC BASE,ADMIN

  • Reported component ID

    5655T0100

  • Reported release

    211

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-05-04

  • Closed date

    2016-06-10

  • Last modified date

    2016-07-04

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UA81942 UA81943

Modules/Macros

  •    CKNDPLX
    

Fix information

  • Fixed component name

    ZSEC BASE,ADMIN

  • Fixed component ID

    5655T0100

Applicable component levels

  • R211 PSY UA81942

       UP16/06/13 P F606

  • R220 PSY UA81943

       UP16/06/13 P F606

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SSCE68R","label":"zSecure Admin"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"211","Edition":""}]

Document Information

Modified date:
04 July 2016