IBM Support

PM40106: TLS HANDSHAKE FAILURE WHEN SPECIFYING SUBNETS IN TTLS POLICY

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When specifying subnet prefixes in the IpAddrGroup we receive
TLS handshake failures in job logs. If address ranges are
specified in the IpAddrGroup everything works fine.

Failing Definition:
IpAddrGroup                       Pool_TN3270_SSL
{
    IpAddrSet
    {
        Prefix 10.xxx.17.0/24
    }
    IpAddrSet
    {
        Prefix 10.xxx.14.0/24
    }
}

Working Definition:
IpAddrGroup                       Pool_TN3270_SSL
{
    IpAddrSet
    {
        Range 10.xxx.17.1-10.xxx.17.254
    }
    IpAddrSet
    {
        Range 10.xxx.14.1-10.xxx.14.254
    }
}





Keywords:
IpAddrSet, EZZ6034I, 100B, CONN DROP, AT-TLS, ATTLS, TTLS,
Configuration Assistant, Config Assistant



Symptoms:
1. EZZ6034I TELNET CONN 000343AE LU **N/A**  CONN DROP  ERR 100B
238
  IP..PORT: 12.34.56.78....1234
EZBTTRCV

2. The IPAddress structures cond1FromAddr, cond2FromAddr,
cond1ToAddr, and cond2ToAddr passed to
convert_prefix_to_addrRange_v4 are not initialized prior to
being used.

Local fix

  • Specify address ranges in the IpAddrGroup instead of subnet
prefixes

Problem summary

  • ****************************************************************
* USERS AFFECTED: All users of the IBM Communications Server   *
*                 for z/OS Version 1 Release(s) 10, 11, 12,    *
*                 and 13 IP: Policy Agent (Pagent)             *
****************************************************************
* PROBLEM DESCRIPTION: TLS handshake failure when specifying   *
*                      subnets in TTLS policy rules.           *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
When specifying subnet prefixes in the IpAddrGroup we receives
TLS handshake failures in job logs. If address ranges are
specified in the IpAddrGroup everything works fine.

Failing Definition:
IpAddrGroup  Pool_TN3270_SSL

    IpAddrSet

        Prefix 10.xxx.17.0/24

    IpAddrSet

        Prefix 10.xxx.14.0/24

This was occurring because the IP address structure storage
contained residual data in reserved fields for the structure.
Since the problem depends on the storage initialization
this problem may appear intermittently.
+-------------------------------------------------------------+
+ Please check our Communications Server for OS/390 homepages +
+ for common networking tips and fixes.  The URL for these    +
+ homepages can be found in Informational APAR II11334.       +
+-------------------------------------------------------------+

Problem conclusion

  • The Pagent code has been modified to clear storage before
using the IP address structure.

* Cross Reference between External and Internal Names
EZAPALDP (LDAPCLNT)  EZAPATRT (PINITRTE)  EZAPATTL (PINITTLS)
EZAPALDP (LDAPCLNT)  EZAPATRT (PINITRTE)  EZAPATTL (PINITTLS)
EZAPALDP (LDAPCLNT)  EZAPATRT (PINITRTE)  EZAPATTL (PINITTLS)
EZAPALDP (LDAPCLNT)  EZAPATRT (PINITRTE)  EZAPATTL (PINITTLS)

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PM40106
    • 

  • Reported component name
    TCP/IP V3 MVS
    • 

  • Reported component ID
    5655HAL00
    • 

  • Reported release
    1A0
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2011-05-25
    • 

  • Closed date
    2011-06-21
    • 

  • Last modified date
    2011-08-01
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UK68970 UK68971 UK68972 UK68973
    

    • 



Modules/Macros


    

  • EZAPALDP EZAPATRT EZAPATTL

    



Fix information


    

  • Fixed component name
    TCP/IP V3 MVS
    • 

  • Fixed component ID
    5655HAL00
    • 



Applicable component levels


    

  • R1A0  PSY  UK68970
       UP11/07/26  P  F107
    • 

  • R1B0  PSY  UK68971
       UP11/07/26  P  F107
    • 

  • R1C0  PSY  UK68972
       UP11/07/26  P  F107
    • 

  • R1D0  PSY  UK68973
       UP11/07/26  P  F107
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1A0","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSCY4DZ","label":"DO NOT USE"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1A0","Edition":"","Line of Business":{"code":"","label":""}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            01 August 2011
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback