APAR status
Closed as documentation error.
Error description
use of AT-TLS with zOSMF ports can result in unexpected connection failures , such as IZUG476E
Local fix
disable AT-TLS for the zOSMF port on all systems
Problem summary
**************************************************************** * USERS AFFECTED: * * All users of IBM z/OSMF V2R2, V2R3. * **************************************************************** * PROBLEM DESCRIPTION: * * The z/OSMF Configuration Guide does not document that the * * z/OSMF server port uses Java SSL encryption by default to * * protect its outbound HTTPS connections. Enabling AT-TLS on * * the z/OSMF port can result in unexpected java exceptions and * * z/OSMF error messages. * **************************************************************** * RECOMMENDATION: * **************************************************************** The z/OSMF Configuration Guide does not document that the z/OSMF server port uses Java SSL encryption by default to protect its outbound HTTPS connections. Enabling AT-TLS on the z/OSMF port can result in unexpected java exceptions and z/OSMF error messages.
Problem conclusion
V2R3 z/OSMF Configuration Guide was updated to add the AT-TLS configuration restriction for z/OSMF server port. For z/OSMF V2R2, please refer to the following restrictions: HTTP_SSL_PORT(nnn) Identifies the port number that is associated with the z/OSMF server. This port is used for SSL encrypted traffic from your z/OSMF configuration. The default value, 443, follows the Internet Engineering Task Force (IETF) standard. By default, the z/OSMF server uses the SSL protocol SSL_TLSv2 for se-cure TCP/IP communications. As a result, the server can accept incoming connections that use SSL V3.0 and the TLS 1.0, 1.1 and 1.2 protocols. The z/OSMF server port uses Java SSL encryption to protect its outbound HTTPS connections. Therefore, it is not necessary (or possible) to configure AT-TLS on the z/OSMF server port. If you attempt to do so, the z/OSMF server will encounter HTTP connection failures and errors, such as the following, in the server logs directory: 1. IZUG476E: The HTTP request to the secondary z/OSMF instance "209" failed with error type "CertificateError" and response code "0" 2. javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection? Rules: Must be have TCP/IP port number Value range: 1 - 65535 (up to 5 digits) Default: 443
Temporary fix
Comments
APAR Information
APAR number
PH10056
Reported component name
Z/OSMF INCIDENT
Reported component ID
5655S2805
Reported release
235
Status
CLOSED DOC
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-03-22
Closed date
2019-06-03
Last modified date
2019-06-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
| SC27841930 |
Fix information
Applicable component levels
[{"Business Unit":{"code":null,"label":null},"Product":{"code":"SG19O","label":"APARs - MVS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"235","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"235","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
03 June 2019