Question & Answer
Why am I receiving DFHSO0223 return code 701 from function gsk_environment_open followed by an abend DFHSO0002 with severe error 080C and a number of other error messages when starting up CICS Transaction Sever for z/OS (CICS TS) 5.3? I have recently upgraded to CICS TS 5.3 and noticed that the System Initialization parameter ENCRYPTION is deprecated. I coded MINTLSLEVEL as TLS10, because I have not started using higher levels of AT-TLS yet. I am using z/OS 1.13.
These are the message I receive:
DFHSO0223 Return code 701 received from function gsk_environment_open
of System SSL. Reason: Unrecognized return code. Peer: 0.0.0.0,
DFHSO0002 A severe error (code X'080C') has occurred in module DFHSOSE
DFHME0116 CICS symptom string for message DFHSO0002
DFHAM4918 E The installation of URIMAP resourcename has failed because
its requested CIPHER list was rejected.
PIDS/5655Y0400 LVLS/700 MS/DFHSO0002 RIDS/DFHSOSE
When upgrading to CICS TS 5.3, any TCPIPService with Secure Sockets Layer (SSL) support - all options other than 'NO' - will cause CICS to initialize the SSL environment with TLS 1.0, TLS 1.1, and TLS 1.2. If the support is not available in z/OS, then the above messages occur. If a trace is gathered, the following trace entry indicates that the GSK (IBM Global Security Kit) environment failed to install because of an invalid attribute. The attribute is for TLS 1.2 support.
SO 080C SOSE *EXC* - SYSTEM_SSL_ERROR GSK RESPONSE GSK ATTRIBUTE_ INVALID_ID) FUNCTION(REBUILD_SSL) RESPONSE(DISASTER) REASON() GSK RETURN_CODE(2BD)
Although TLS 1.2 support is provided in z/OS V2.1, the function was provided somewhat later for z/OS 1.13 by the PTFs for APAR OA39422. There are also 'conditioning' PTFs for z/OS APAR OA37102 that are required.
The MINTLSLEVEL (TLS10 or TLS11 or TLS12), provides a MINIMUM level of TLS support, but not a maximum, with TLS12 providing support for the FIPS 140-2 standard.
Incidentally, the same error might be seen in CICS TS 5.1 or 5.2 in a z/OS 1.13 environment, if the PTF PM97207 is applied, and the System Initialization Table specifies ENCRYPTION=ALL (or TLS12, TLS12FIPS).
CICS/TS CICSTS CICS TS CICS Transaction Server
14 April 2016