A fix is available
APAR status
Closed as program error.
Error description
An FTP using the zOS FTP client to an ATTLS protected zOS FTP server can fail with error 534 TLS negotiation failed -- data connection closed. This occurs only when the client issues CCC after successfully logging into the server. verification steps: problem only occurs with ATTLS not native SSL FTP protection. A corresponding FTP server trace with debug sec acc enabled will show the following error which caused the 534 message to be issued: compareCertAttls: Data connection certificate does not match control connection certificate endSecureConn: entered Additional Symptom(s) Search Keyword(s): FTP 534 ATTLS
Local fix
code the following undocumented keyword in the FTP Server's FTP data file: tlscertcrosscheck = FALSE
Problem summary
**************************************************************** * USERS AFFECTED: * * All users of the IBM Communications Server * * for z/OS Version 2 Release 1 * * IP: FTP * **************************************************************** * PROBLEM DESCRIPTION: * * When FTP ATTLS is used and TLSRFCLEVEL * * is set to RFC4217, after CCC command, * * data connection fails with 534 error * * TLS negotiation failed -- data * * connection closed. * **************************************************************** * RECOMMENDATION: * * Apply PTF * **************************************************************** For ATTLS when data connection is established, FTP server needs to get control connection certificate and data connection certificate. After CCC command, control connection certificate will not be got any more, so data connection fails.
Problem conclusion
FTP server has been corrected.
Temporary fix
Comments
APAR Information
APAR number
PI18664
Reported component name
TCP/IP V3 MVS
Reported component ID
5655HAL00
Reported release
210
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2014-05-26
Closed date
2014-05-28
Last modified date
2014-08-04
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI18377
Modules/Macros
EZAFTPRX EZAFTPFU
Fix information
Fixed component name
TCP/IP V3 MVS
Fixed component ID
5655HAL00
Applicable component levels
R210 PSY UI18377
UP14/07/08 P F407
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"210","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSCY4DZ","label":"DO NOT USE"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"210","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
04 August 2014