IBM Support

PH35332: CICS TG TO SUPPORT TLSV1.0, TLSV1.1 AND TLSV1.2 PROTOCOLS

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • If client sends TLSv1.2 request, then CICS TG rejects the
request with javax.net.ssl.SSLHandshakeException and
resulting in an SSL handshake failure.

Local fix

  • 



Problem summary


    

  • By default the CICS TG was creating the SSLContext with SSL_TLS,
which enables SSL V3.0 and TLS 1.0. Hence the CICS TG could not
accept TLSv1.2 request.

The behavior of CICS TG was as follows :
  A) By default TLSV1.2 was not supported by the CICS TG. CICS
     TG was only allowing SSLv3, TLSv1.0.
  B) If com.ibm.jsse2.sp800-131=strict is set, then only TLSv1.2
     is supported with sp800-131A compliance.
  C) If com.ibm.jsse2.sp800-131=transition is set, then TLSv1.0
     is set


  D)  If com.ibm.jsse2.sp800-131=transition and
       com.ibm.jsse2.overrideDefaultTLS=true are set, then
      TLSv1.0, TLSv1.1 and TLSv1.2.

    



Problem conclusion


    

  • CICS TG is changed to add default support for TLSv1.2 requests
and provided the com.ibm.jsse2.overrideDefaultProtocol support
as mentioned in https://ibm.biz/BdfjkQ

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH35332
    • 

  • Reported component name
    CICS TRNS GATE
    • 

  • Reported component ID
    5724I8103
    • 

  • Reported release
    920
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2021-03-15
    • 

  • Closed date
    2021-03-15
    • 

  • Last modified date
    2021-03-15
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    
PI88428
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    CICS TRNS GATE
    • 

  • Fixed component ID
    5724I8103
    • 



Applicable component levels


    








      
              
                            

              

              [{"Line of Business":{"code":"LOB35","label":"Mainframe SW"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMJ2","label":"CICS Transaction Gateway"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.2"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            16 March 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback