IBM Support

DFHWB0114 when using new AT-TLS configuration

Question & Answer


Question

I recently attempted to configure a new Application Transparent Transport Layer Security (AT-TLS) configuration within my CICS TS 5.3 region. I have tried to code SSL=NO and SSL=ATTLSAWARE on the TCPIPSERVICE definition. In both cases, I receive a DFHWB0114 message when I attempt to use the connection. Following is the complete message:

DFHWB0114 CWXN A non-HTTP request has been received by an HTTP service. The request has been rejected.

Answer

In both instances, SSL=NO or SSL=ATTLSAWARE coded on the TCPIPSERVICE definition, CICS is expecting only an HTTP request to arrive.

A CICS trace revealed the incoming request was an SSL Handshake request. The first word of the request being x'16030300'. However, the AT-TLS configuration on TCP/IP should not be sending SSL type data.The failure is happening because the request is an HTTPS request instead of an HTTP request.

It was discovered that the Policy within TCP/IP had the parameter ApplicationControlled On coded. However, CICS is not able to control the SSL/TLS session. By turning this parameter on in the AT/TLS configuration, the handshake was being passed from TCP/IP to CICS instead of TCP/IP handling the SSL portions as it should. Coding ApplicationControlled Off resolved the problem of the Handshake being passed to CICS.

It was also discovered a keylabel on the associated Certificate, was not being specified. Either keylabel must be specified or the Certificate being used must be specified as the Default Certificate. This has nothing to do with the Handshake being passed to CICS but was also preventing the request from making it to CICS, so worth mentioning.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"Security","Version":"","Line of Business":{"code":"LOB17","label":"Mainframe TPS"}}]

Product Synonym

CICS/TS CICSTS CICS TS CICS Transaction Server

Document Information

Modified date:
21 August 2018

UID

dwa1463320