IBM Support

PH57056: DFHSO123 RETURN CODE 420 TLS HANDSHAKE FAILURE AFTER CICS REUSES A CACHED URIMAP IP ADDRESS.

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • After upgrading from CICS TS 5.4 to 6.1 we had an issue on
one AORs with a CICS sockets connection,
CICS is the client. The application had switched to an
alternative destination IP for the connected server which we
believe should have caused an error, a fresh call to the
DNS server and then an update to the IP address after which
traffic should resume.
We see the messages below:
DFHSO0123 31/08/2023 04:53:10 CICS1 Return code 420 received
from function gsk_secure_socket_init  of System SSL. Reason:
Handshake abandoned by peer. Peer: nn.nn.nnn.1,
TCPIPSERVICE: *NONE*.
.
DFHSO0399 31/08/2023 04:53:10 CICS1 Client side of TLS
handshake failed: Socket closed by remote partner.
Local certificate:Cert, Host: transaction¯gateway, Port: 00ppp,
URIMAP: MMMMMMM, TRANSID:TTTT, USERID: UUUUUUUU,
PROGRAM: DFHMIRS, z/OS System SSL return code: 420.
What we don't know is whether CICS had cached the IP address
and wasn't requesting a refreshed one or whether the
DNS server was sending the old one repeatedly.
.
A dump was taken.
The trace shows repeated attempts to access the
original remote server.  Every attempt is using a new
connection because the socket pool is empty.
This implies that the sockets did get closed as part of
the switch over process of the remote server.
The WEB OPEN is successful using the old IP address.
At CICS TS 6.1 WEB OPEN URIMAP command uses the cached
IP address and HTTP information.
The application issues a CONNECT and that works because the
original server is still operational.
The WEB SEND fails immediately during the TLS handshake
due to the connection being closed.

Local fix

  • DISABLE and ENABLE the URIMAP to clear out the cached IP
address and force the next WEB OPEN to do a new DNS lookup.

Problem summary

  • ****************************************************************
* USERS AFFECTED: All CICS users.                              *
****************************************************************
* PROBLEM DESCRIPTION: In an active/active setup when a server *
*                      switch occurs and the original server   *
*                      can still be connected to, CICS clients *
*                      sending requests do not perform a DNS   *
*                      lookup to get the IP address of the new *
*                      target server.                          *
****************************************************************
In CICS 6.1 IP address caching was introduced. CICS only updates
a cached IP address that is associated with a URIMAP when a
CONNECT attempt fails, but not when a SEND attempt fails.

In DFHWBCL, if a send fails CICS will attempt to reconnect to
the server, but only by using the cached IP address. CICS then
continues using the cached IP address and sends requests to the
original server - these requests then fail as the TLS handshake
will find the connection is closed.

The only way to stop this is to disable and enable the URIMAP
that is using the cached IP address, or to recycle CICS.

Problem conclusion

  • CICS has been updated so when a send, using a cached IP address,
fails due to the connection being closed it will perform a DNS
lookup to update the cached IP address before reconnecting.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH57056
    • 

  • Reported component name
    CICS TS Z/OS V6
    • 

  • Reported component ID
    5655YA100
    • 

  • Reported release
    400
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2023-09-20
    • 

  • Closed date
    2023-12-19
    • 

  • Last modified date
    2024-01-02
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UI94993
    

    • 



Modules/Macros


    

  • DFHWBCL  DFHWBCLI DFHWBDUF DFHWBSO  DFHWBSV  DFHWBXM

    



Fix information


    

  • Fixed component name
    CICS TS Z/OS V6
    • 

  • Fixed component ID
    5655YA100
    • 



Applicable component levels


    

  • R400  PSY  UI94993
       UP23/12/20  P  F312
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            02 January 2024
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback