Fixes are available
APAR status
Closed as program error.
Error description
SSL/TLS connections initiated by IDS Client based applications may fail due to ssl handshake timeout conditions. Currently the IDS clients/library do not provide any method to configure this client side SSL handshake timeout. These ssl timeout failures generate error code 406(GSK_ERROR_IO) entries within the IDS ldap client trace. 067:02:20:16 T3048 ssl_read: -----> Entering ssl_read 067:02:20:21 T3048 Error - ssl_read: select timed out after: 5.000000 sec 067:02:20:21 T3048 ssl_read: rc=-1 067:02:20:21 T3048 In ldap_start_tls_s_np(): gsk_secure_soc_init() rc=406 GSK_ERROR_IO 067:02:20:21 T3048 ldap_err2string: err(116) In some cases the error may be seen during ssl_write: Error - ssl_write: select timed out after: 5.000000 sec ssl_write: rc=-1 Other trace entries will indicate whether or not the timeout is within the ssl handshake process or within the ssl data I/O process. The following trace entry indicates that the timeout occurred within the ssl or tls handshake process. ... : gsk_secure_soc_init() rc=406 GSK_ERROR_IO
Local fix
For client side ssl handshake timeout failures the only work around is to resolve the reason for the long ssl handshake time. If the server side of the connectione does some form of remote lookup (e.g.: crl checking on a remote system) this may result in the operation hanging or timing out after 5 seconds.
Problem summary
Added an environment variable to control the client side ssl handshake timeout value: IDS_SSL_CLIENT_HANDSHAKE_TIMEOUT_MILLISECS The default timeout for client side ssl handshake is 5 seconds. To override the default value set the environment variable IDS_SSL_CLIENT_HANDSHAKE_TIMEOUT_MILLISECS to desired number of milli-seconds. e.g: To set the client side ssl handshake timeout to 10 seconds. On Unix platforms: export IDS_SSL_CLIENT_HANDSHAKE_TIMEOUT_MILLISECS=10000 On Windows: set IDS_SSL_CLIENT_HANDSHAKE_TIMEOUT_MILLISECS=10000 Restart the IDS client based application from the same shell in which the above environment variable is set.
Problem conclusion
The fix for this APAR will be contained in the following maintenance packages: | interim fix | 6.3.0.19-ISS-ITDS-IF0019 |
Temporary fix
Comments
APAR Information
APAR number
IO17647
Reported component name
IBM TIV DIR SER
Reported component ID
5724J3960
Reported release
630
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2012-11-28
Closed date
2013-01-23
Last modified date
2013-01-23
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
IBM TIV DIR SER
Fixed component ID
5724J3960
Applicable component levels
R630 PSY
UP
Rate this page:
Average rating
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.