A fix is available
APAR status
Closed as program error.
Error description
Starting with 6.23 FP5, the Situation Update Forwarder (SUF) cannot connect via HTTPS to a management server when the management server is using the TLS_RSA_WITH_AES_256_CBC_SHA cipher. Once the HTTPS connection fails, the code will try to connect with HTTP which will also fail. Approver: MK Related Files and Output: No error is logged, however in the log file /tmp/itmsync/logs/synch_trace.log with tracing enabled, the file will show a call using https followed by a call using http. If the https connections fails, it will try using http. This failed https connection attempt can occur for other reasons besides this APAR. 2014.08.06 15:50:38.237-04:00 com.tivoli.candlenet.SOAPConnection sendRequest IBM Tivoli Monitoring Tivoli Event Synchronization system1.xxx.com IP SOAP URL is: https://system2.com:3661///cms/soap/kshhsoap.htm This is the second call, using http. 2014.08.06 15:50:39.144-04:00 com.tivoli.candlenet.SOAPConnection sendRequest IBM Tivoli Monitoring Tivoli Event Synchronization system1.xxx.com IP SOAP URL is: http://system2.com:3661///cms/soap/kshhsoap.htm After the above call fails, it will try again using http: 2014.08.06 15:50:39.154-04:00 com.tivoli.candlenet.SituationUpdateForwarder testConnection IBM Tivoli Monitoring Tivoli Event Synchronization system1.tivlab.raleigh.ibm.com IP java.net.SocketException: Connection reset at java.net.SocketInputStream.read(SocketInputStream.java:168) at java.io.BufferedInputStream.fill(BufferedInputStream.java:218) at java.io.BufferedInputStream.read1(BufferedInputStream.java:258) at java.io.BufferedInputStream.read(BufferedInputStream.java:317) at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:699) at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:642) at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:664) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpU RLConnection.java:1218) at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.jav a:379) at com.tivoli.candlenet.SOAPConnection.getResponseCode(Unknown Source) at com.tivoli.candlenet.SOAPConnection.getResponse(Unknown Source) at com.tivoli.candlenet.SituationUpdateForwarder.testConnection(Unk nown Source) at com.tivoli.candlenet.SituationUpdateForwarder.main(Unknown Source)
Local fix
None,
Problem summary
Situation Update Forwarder cannot connect via HTTPS when TLS_RSA_WITH_AES_256_CBC_SHA CIPHER is used. Starting with 6.23 FP5 and 6.30 FP3 the Situation Update Forwarder (SUF) cannot connect to a monitoring server on z/OS when TLS_RSA_WITH_AES_256_CBC_SHA cipher is used. The JRE shipped as part of SUF was updated to 1.6 SR13 FP2. In addition to a code change, updated JCE Policy Files are needed for some Cipher Suites. See Install Actions section of the Conclusion of this APAR for more information.
Problem conclusion
The code was changed to include context TLS. In addition to the code change, some cipher suites require an update policy file. See the Install Actions below for more details. Install Actions: In accordance with the United States of America export restrictions, Java(TM) that is bundled with the server has limited encryption key sizes that can be used in the server operation. Some cipher suites, including TLS_RSA_WITH_AES_256_CBC_SHA, require the installation of the JCE Unlimited Strength Jurisdiction Policy Files. The following link lists which cipher suites require the updated policy files. http://www.ibm.com/support/knowledgecenter/SSYKE2_6.0.0/com.ibm. java.security.component.60.doc/security-component/jsse2Docs/ciph ersuites.html The following steps can be used to install the JCE Unlimited Strength Jurisdiction Policy files: Go to the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html. - Click "Java SE 6". - Click "IBM SDK Policy files" under section "IBM SDK Policy files". - Click "ibm.com" website. The Unrestricted JCE Policy files website is displayed. - Provide your IBM? ID and password and click Sign in. You might need to register with IBM to download the files. - Select "Files for Java 5.0 SR16, Java 6 SR13, Java 6 SR5 (J9 VM2.6), Java 7 SR4, and all later releases" and click Continue. - View the license agreement and then select "I Agree". - Click I confirm and then Download now to save the file on the hard disk of your computer. - Install the files: -- Stop the SUF server. -- Extract the file: unrestricted.zip into a directory of your choice. -- Backup existing files <SUF Install>/jre/lib/security/local_policy.jar and US_export_policy.jar. -- Copy the .jar files from the extraction directory to following directory on the SUF server: ---- <SUF Install>/jre/lib/security -- Restart the SUF server. The fix for this APAR is contained in the following maintenance packages: | fix pack | 6.3.0-TIV-ITM-FP0004
Temporary fix
Comments
APAR Information
APAR number
IV63290
Reported component name
TEMS
Reported component ID
5724C04MS
Reported release
623
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2014-08-07
Closed date
2014-09-09
Last modified date
2014-12-20
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TEMS
Fixed component ID
5724C04MS
Applicable component levels
R630 PSY
UP
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSCTLMP","label":"ITM Tivoli Enterprise Mgmt Server V6"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"623","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
20 December 2014