Fixes are available
Tivoli Directory Server, Version 22.214.171.124-ISS-ITDS-IF0027
Tivoli Directory Server, Version 126.96.36.199-ISS-ITDS-IF0029
Tivoli Directory Server, Version 188.8.131.52-ISS-ITDS-IF0030
Tivoli Directory Server, Version 184.108.40.206-ISS-ITDS-IF0031
Tivoli Directory Server, Version 220.127.116.11-ISS-ITDS-IF0032
Tivoli Directory Server, Version 18.104.22.168-ISS-ITDS-IF0033
Closed as program error.
SSL/TLS connections initiated by IDS Client based applications may fail due to ssl handshake timeout conditions. Currently the IDS clients/library do not provide any method to configure this client side SSL handshake timeout. These ssl timeout failures generate error code 406(GSK_ERROR_IO) entries within the IDS ldap client trace. 067:02:20:16 T3048 ssl_read: -----> Entering ssl_read 067:02:20:21 T3048 Error - ssl_read: select timed out after: 5.000000 sec 067:02:20:21 T3048 ssl_read: rc=-1 067:02:20:21 T3048 In ldap_start_tls_s_np(): gsk_secure_soc_init() rc=406 GSK_ERROR_IO 067:02:20:21 T3048 ldap_err2string: err(116) In some cases the error may be seen during ssl_write: Error - ssl_write: select timed out after: 5.000000 sec ssl_write: rc=-1 Other trace entries will indicate whether or not the timeout is within the ssl handshake process or within the ssl data I/O process. The following trace entry indicates that the timeout occurred within the ssl or tls handshake process. ... : gsk_secure_soc_init() rc=406 GSK_ERROR_IO
For client side ssl handshake timeout failures the only work around is to resolve the reason for the long ssl handshake time. If the server side of the connectione does some form of remote lookup (e.g.: crl checking on a remote system) this may result in the operation hanging or timing out after 5 seconds.
Added an environment variable to control the client side ssl handshake timeout value: IDS_SSL_CLIENT_HANDSHAKE_TIMEOUT_MILLISECS The default timeout for client side ssl handshake is 5 seconds. To override the default value set the environment variable IDS_SSL_CLIENT_HANDSHAKE_TIMEOUT_MILLISECS to desired number of milli-seconds. e.g: To set the client side ssl handshake timeout to 10 seconds. On Unix platforms: export IDS_SSL_CLIENT_HANDSHAKE_TIMEOUT_MILLISECS=10000 On Windows: set IDS_SSL_CLIENT_HANDSHAKE_TIMEOUT_MILLISECS=10000 Restart the IDS client based application from the same shell in which the above environment variable is set.
The fix for this APAR will be contained in the following maintenance packages: | interim fix | 22.214.171.124-ISS-ITDS-IF0027 |
Reported component name
IBM TIV DIR SER
Reported component ID
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fixed component name
IBM TIV DIR SER
Fixed component ID
Applicable component levels