Troubleshooting
Problem
IBM i Access Client Solutions (ACS) SSL connections fail with MSGGEN004: "An unexpected end of the file or stream has been encountered (SSL peer shut down incorrectly)".
Symptom
IBM i ACS configured to use SSL fails with MSGGEN004: "An unexpected end of the file or stream has been encountered (SSL peer shut down incorrectly)". This may be intermittent depending on what function is being used or may be caused after system upgrade.
Cause
The MSGGEN004 error can occur for a few different reasons. The following are common causes:
1. The SSL configuration within DCM is incomplete.
2. Upgrading system to new version of IBM i OS.
3. The SSL system values QSSLCSL, QSSLCSLCTL, and QSSLPCL are set to values that are disabled within System SSL (SSLCONFIG and TLSCONFIG at r7.4+)
4. Individual server applications within DCM have specific protocols and ciphers set that are outdated.
Environment
IBM i ACS configured to use SSL for connections to IBM i OS.
Diagnosing The Problem
Investigation into the SSL configuration of the system is necessary. Verifying the configuration within DCM is correct, and the SSL system values are set to values that are not disabled by system SSL. Communications tracing may also be helpful.
Resolving The Problem
MSGGEN004 generally means there is a configuration issue within SSL causing issues with all SSL connections. As mentioned above, there are various potential causes of this error. Analysis of communications traces and review of the entire SSL configuration is needed to determine what is not configured correctly. Confirm that all IBM i Host Communications Servers and Telnet server have a valid certificate assigned. If the needed server application doesn't have a certificate assigned, MSGGEN004 will be triggered.
If you have just upgraded to a new IBM i operating system release, new releases change which protocols and ciphers are permitted. Upgrading to 7.4 is a common cause of this error as it introduces major changes to System SSL. 7.4 introduces TLSv1.3 and disables most TLSv1.2 ciphers. If your QSSLCSL and QSSPCL system values are still set to older protocols and ciphers that are now disabled, MSGGEN004 will be triggered. A common issue is the QSSL system values have been migrated from the older release and are now no longer valid at 7.4.
The quickest solution is to set the QSSLCSL, QSSCSLCTL, and QSSLPCL system values to *OPSYS (system defaults) to match the defaults shipped in the new OS. Another area to check is server applications within DCM. They may have been changed from *PGM to have specific protocols and ciphers set instead. If those protocols and ciphers are older, you may nee to remove them or change back to *PGM. Older protocols and ciphers can be re-enabled, but this is not suggested by IBM as it weakens the security of your system.
You may refer to the following documentation or further instructions Configuring Your IBM i System Secure Sockets Layer (SSL)/Transport Layer Security (TLS) Protocols and Cipher Suites.
[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CTpAAM","label":"IBM i Access-\u003EAccess Client Solutions"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
20 November 2024
UID
nas8N1021428