APAR status
Closed as program error.
Error description
If client sends TLSv1.2 request, then CICS TG rejects the request with javax.net.ssl.SSLHandshakeException and resulting in an SSL handshake failure.
Local fix
Problem summary
By default the CICS TG was creating the SSLContext with SSL_TLS, which enables SSL V3.0 and TLS 1.0. Hence the CICS TG could not accept TLSv1.2 request. The behavior of CICS TG was as follows : A) By default TLSV1.2 was not supported by the CICS TG. CICS TG was only allowing SSLv3, TLSv1.0. B) If com.ibm.jsse2.sp800-131=strict is set, then only TLSv1.2 is supported with sp800-131A compliance. C) If com.ibm.jsse2.sp800-131=transition is set, then TLSv1.0 is set D) If com.ibm.jsse2.sp800-131=transition and com.ibm.jsse2.overrideDefaultTLS=true are set, then TLSv1.0, TLSv1.1 and TLSv1.2.
Problem conclusion
CICS TG is changed to add default support for TLSv1.2 requests and provided the com.ibm.jsse2.overrideDefaultProtocol support as mentioned in https://ibm.biz/BdfjkQ
Temporary fix
Comments
APAR Information
APAR number
PH35332
Reported component name
CICS TRNS GATE
Reported component ID
5724I8103
Reported release
920
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-03-15
Closed date
2021-03-15
Last modified date
2021-03-15
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
CICS TRNS GATE
Fixed component ID
5724I8103
Applicable component levels
[{"Line of Business":{"code":"LOB35","label":"Mainframe SW"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMJ2","label":"CICS Transaction Gateway"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.2"}]
Document Information
Modified date:
16 March 2021