Fixes are available
CICS Transaction Gateway Desktop Edition V8.0 Fix Pack 6
IBM CICS Transaction Gateway for Multiplatforms - Version 8.1 - AIX
IBM CICS Transaction Gateway for Multiplatforms - Version 8.1 - Linux on zSeries
IBM CICS Transaction Gateway for Multiplatforms - Version 8.1 - Solaris
IBM CICS Transaction Gateway for Multiplatforms - Version 8.1 - HP-UX on Itanium
IBM CICS Transaction Gateway for Multiplatforms - Version 8.1 - Windows
CICS Transaction Gateway Desktop Edition - V8.1 -
CICS Transaction Gateway Desktop Edition - V8.1 -
CICS Transaction Gateway for Multiplatforms V8.0 Fix Pack 6
CICS Transaction Gateway Desktop Edition - V8.1 - Linux on POWER
CICS Transaction Gateway Desktop Edition - V8.1 - Solaris
APAR status
Closed as program error.
Error description
If an SSL connection does not complete its SSL handshake, subsequent SSL connection attempts are not processed and have to wait. Eventually the TCP/IP backlog limit is reached and subsequent SSL connection attempts are rejected immediately. In this situation NETSTAT shows that many connections are in CLOSE-WAIT state. Additional search words: ClosWait ClosWt CLOSEWAIT CLOSE_WAIT
Local fix
The connection causing the problem is in ESTABLISHED state, but no data has been transferred. Terminating this connection allows waiting connections to complete their SSL handshake.
Problem summary
**************************************************************** * USERS AFFECTED: All users of CICS TG with SSL connections * * from client applications. * **************************************************************** * PROBLEM DESCRIPTION: CICS TG stops processing SSL * * connection * **************************************************************** * RECOMMENDATION: * **************************************************************** When the SSL handshake on an SSL connection was delayed on the client side, subsequent SSL connection attempts were queued while they waited for the delayed SSL handshake to complete. NETSTAT showed these connections in ESTABLISHED state. If the TCP/IP backlog limit was reached, subsequent SSL connection attempts failed immediately and the waiting connections were left in CLOSE-WAIT state. The SSL protocol handler parameter connecttimeout was not effective for SSL handshaking. SSL handshakes would wait indefinitely if the client side did not complete the handshake.
Problem conclusion
CICS TG has been changed so that the SSL handshake time is included in the value specified for the SSL protocol handler connecttimeout parameter. After applying the fix for this APAR, it might be necessary to adjust the value specified for the SSL protocol handler connecttimeout parameter to allow SSL handshakes to complete. If the connecttimeout is set to zero, to ensure that a connection is refused if a ConnectionManager thread is not immediately available, the timeout value use for the SSL handshake is set to 2 seconds by default. If connection logging is active and the SSL handshake exceeds the set timeout value the following message is logged: CTG6566W Remote client <client_details> timed out during SSL handshake, connecttimeout is set to <connecttimeout> ms
Temporary fix
Comments
APAR Information
APAR number
PM23549
Reported component name
CICS TRNS GATE
Reported component ID
5724I8102
Reported release
800
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2010-09-30
Closed date
2011-03-24
Last modified date
2015-10-01
APAR is sysrouted FROM one or more of the following:
PM18492
APAR is sysrouted TO one or more of the following:
Modules/Macros
CTGV8DUM
Fix information
Fixed component name
CICS TRNS GATE
Fixed component ID
5724I8102
Applicable component levels
R800 PSY
UP
Document Information
Modified date:
06 January 2022