PI84402: CAN'T CONNECT TO ZOSMF ON JAVA MAINTENANCE LEVEL VERSION 8 SR4 FP5 OR FP6

APAR status

• Closed as documentation error.

Error description

• After update Java 8.0_64 to SR4 FP5 or FP6. Browsers could not
  connect to zOSMF. No error messages are obvious. If Java is
  backed off to 8.0_64 SR4 FP2 or earlier maintainance level,
  borwsers could get connected to z/OSMF again. This occurs on
  z/OSMF V2R1, V2R2 and V2R3.
  

Local fix

• For permanent fix, please apply Java APAR PI84229.
  
  Recommended Workaround
  Back off Java to 8.0_64 SR4 FP2 or earlier maintenance level.
  
  Before rolling back to previous maintenance level, please visit
  Java maintenance page at
  https://www.ibm.com/developerworks/java/jdk/fixes/8/index.html
  to understand potential Vulnerability Exposure in early
  maintenance level of Java.
  
  
  Optional Workaround
  If for some reason, Java maintenance level must stay at SR4 FP5
  or FP6. Try the following workarounds on browser side. PLEASE
  REMOVE THE BROWSER SIDE WORKAROUND AFTER THE PERMANENT FIX IS
  APPLIED.
  
  WORKAROUND:
  Prior to applying the Java SDK 8 SR4 FP10 Service Refresh, it
  may be possible to continue using zOSMF by following one of the
  workarounds below, for the browser in use. These workarounds
  will change the browser cipher suites which are used during SSL
  handshakes. In some cases, GCM ciphers will be disabled. In
  other cases, GCM ciphers will be moved lower in the cipher suite
  list, reducing the chance of them being selected when connecting
  to zOSMF.
  
  Firefox Browser:
  The website, http://kb.mozillazine.org/About:config, contains
  information on how to modify Firefox using about:config.
  The following steps can be performed in order to remove GCM
  ciphers from Firefox:
  1. Enter about:config in the search browser
  2. Search for "security.ssl3".
  3. There should be a list of cipher suites with boolean values,
  such as " security.ssl3.dhe_rsa_aes_128_sha".
  4. For all cipher suites which have "gcm", mark the boolean
  value to false.
  5. RESTART Firefox.
  
  Note: This workaround is a temporary browser modification. The
  re-enabling of GCM ciphers will need to occur after installation
  of the fixed SDK(s) listed above.
  Restriction: Removing all GCM ciphers from Firefox may prevent
  connection to other websites if those websites only allow GCM
  ciphers.
  
  Internet Explorer and Edge Browsers:
  A blog entry from
  Microsoft,https://blogs.technet.microsoft.com/steriley/2007/11/0
  7/changing-the-ssl-cipher-order-in-internet-explorer-7-on-window
  s-vista/, outlines the instructions to modify the order of the
  cipher suites for Internet Explorer and Edge:
  1. Open the group policy editor by entering gpedit.msc in a
  Windows "search programs and files" search or Run dialog box.
  2. Choose Computer Configuration > Administrative Templates >
  Network > SSL Configuration Settings.
  3. Select SSL Cipher Suite Order. Open with Right Click > Edit.
  4. On the left side on the SSL Cipher Suite Order dialog box
  select Enabled.
  5.  Under Enabled on the left side, there is an Options section
  with SSL Cipher Suites. The string in this text field is an
  ordered list of cipher suites which the browser will use. Edit
  this list by changing the order of the GCM ciphers ensuring the
  new entry is a comma delimited value containing no spaces.
  1. For example, if the following list was present:
   TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_RSA_WITH_AES_1
  28_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,...moreciphers
   change it to
   TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TL
  S_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,,...moreciphers
  6. Click OK and then close gpedit.msc.
  7. REBOOT the machine.
  
  Note: This workaround is a temporary browser modification. The
  re-ordering of GCM ciphers will need to occur after installation
  of the fixed SDK(s) listed above.
  Restrictions: There may be policy restrictions placed by your
  System Administrator or versions of Windows which prevents usage
  of gpedit. In these cases, consider using Firefox temporarily
  instead.
  
  REFERENCES:
  http://kb.mozillazine.org/About:config
  https://support.mozilla.org/en-US/questions/916646
  https://blogs.technet.microsoft.com/steriley/2007/11/07/changing
  -the-ssl-cipher-order-in-internet-explorer-7-on-windows-vista/
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: All users of IBM z/OSMF V2R3, V2R2 and V2R1. *
  ****************************************************************
  * PROBLEM DESCRIPTION: After update Java 8.0_64 to SR4 FP5 or  *
  *                      FP6. Browsers could not connect to      *
  *                      zOSMF. No error messages are obvious.   *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  After update Java 8.0_64 to SR4 FP5 or
  FP6. z/OSMF could not be connected
  from browser. No error messages are
  obvious.
  If Java is backed off to 8.0_64 SR4
  FP2 or earlier maintenance level,
  z/OSMF could not be connected from
  browser.
  

Problem conclusion

• After update Java 8.0_64 to SR4 FP5 or
  FP6. z/OSMF could not be connected
  from browser. No error messages are
  obvious.
  If Java is backed off to 8.0_64 SR4
  FP2 or earlier maintenance level,
  z/OSMF could not be connected from
  browser.
  This issue caused and fixed by Java APAR PI84229.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels