IBM Support

PH02312: IBM EXPLORER FOR Z/OS - ZEXPL - RSE SERVER TLS SESSION IS NOT USING THE EXPECTED CIPHER SUITE FOR THE CLIENT CONNECTION

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • IBM Explorer for z/OS - zExpl - RSE Server TLS session is not
using the expected cipher suite for the client connection

The Remote System Explorer (RSE) Daemon is using 2 character
cipher suites that are proposed in the rse.env >
GSK_V3_CIPHER_SPECS.  However, the RSE Server is using a 4
character cipher that cannot be specified in the
GSK_V3_CIPHER_SPECS.

The negotiation for the RSE Daemon is logged in the RSE Daemon
log, and you can see that is correctly selects from the list
presented in the GSK_V3_CIPHER_SPECS.  For example, in the log
you may see this entry:
GSK_CONNECT_CIPHER_SPEC=2F (TLS_RSA_WITH_AES_128_CBC_SHA).
However, in the RSECOMM log you may see this trace entry:
ConnectionEstablisher: SSL/TLS Cipher Suite:
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
this is a 4 character cipher of C030.

Local fix

  • none available.

Problem summary

  • ****************************************************************
* USERS AFFECTED: 1. All zOS Explorer users                    *
*                 2. All zOS Explorer users                    *
*                 3. All zOS Explorer users who has SSL        *
*                    enabled                                   *
*                 4. All zOS Explorer users who has SSL        *
*                    enabled                                   *
****************************************************************
* PROBLEM DESCRIPTION: 1. Daemon version shown in the log is   *
*                         often mixed up with the IDz version  *
*                         number. Removed Daemon version:14.0  *
*                         from the Logs to eliminate confusion *
*                      2. rse.env is missing an undocumented   *
*                         environment variable                 *
*                      3. Enhancement to support 4 char-id     *
*                         ciphers when connecting using SSL    *
*                      4. RSE Server TLS session is not using  *
*                         the expected cipher suite for the    *
*                         client connection.                   *
****************************************************************
1. Daemon version shown in the log is often mixed up with the
   IDz version number. Remove Daemon version:14.0 from the Logs
   to eliminate confusion
2. rse.env is missing an undocumented environment variable
3. Enhancement to support 4 char-id ciphers when connecting
   using SSL
4. The Remote System Explorer (RSE) Daemon is using 2 character
   cipher suites that are proposed in the rse.env >
   GSK_V3_CIPHER_SPECS.  However, the RSE Server is using a
   4character cipher that cannot be specified in the
   GSK_V3_CIPHER_SPECS.

Problem conclusion

  • 1. Host modules have been updated
2. Sample has been updated
3. Host modules have been updated. Note: 4 character ciphers are
   only supported with JAVA 8
4. Host modules have been updated

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH02312
    • 

  • Reported component name
    EXP FOR Z/OS HO
    • 

  • Reported component ID
    5655EXP23
    • 

  • Reported release
    310
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2018-08-29
    • 

  • Closed date
    2018-08-29
    • 

  • Last modified date
    2018-10-02
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UI58187
    

    • 



Modules/Macros


    

  • FEJENF70 FEJJCNFG FEJJJCL  FEJJMON  FEJTSO   FEK1SMPE FEK2RCVE
FEK3ALOC FEK4ZFS  FEK5MKD  FEK6DDEF FEK7APLY FEK8ACPT FEK@CERR
FEK@CONE FEK@CONF FEK@CUST FEK@DEB  FEK@DESC FEK@FLOW FEK@GEN
FEK@GENW FEK@ISPF FEK@IVP  FEK@IVPD FEK@IVPW FEK@JCN1 FEK@JCNE
FEK@JESJ FEK@MAIN FEK@MIGO FEK@OPTE FEK@OPTG FEK@OPTN FEK@PRIM
FEK@RSE1 FEK@RSEO FEK@STRT FEK@TAB1 FEK@TAB2 FEK@TAB3 FEK@WRK1
FEK@WRK2 FEK@WRK3 FEK@WRK4 FEK@WRK5 FEKAPPCC FEKAPPCL FEKAPPCX
FEKATTR  FEKDSI   FEKEESX0 FEKFASIZ FEKFATT1 FEKFBLD  FEKFCIPH
FEKFCLIE FEKFCMOD FEKFCMPR FEKFCMSG FEKFCOMM FEKFCOPY FEKFCOR6
FEKFCORE FEKFDBGM FEKFDIR  FEKFDIR6 FEKFDIVP FEKFDST0 FEKFDST1
FEKFDST2 FEKFENVF FEKFENVI FEKFENVP FEKFENVR FEKFENVS FEKFEPL
FEKFICUL FEKFISPF FEKFIVP0 FEKFIVPA FEKFIVPD FEKFIVPI FEKFIVPJ
FEKFIVPT FEKFJESM FEKFJESU FEKFJVM  FEKFLATR FEKFLDSI FEKFLDSL
FEKFLEOP FEKFLOGS FEKFLPTH FEKFMAI6 FEKFMAIN FEKFMINE FEKFMINS
FEKFMNTL FEKFNTCE FEKFOMVS FEKFPATT FEKFPRDS FEKFPTC  FEKFRIVP
FEKFRMSG FEKFRSES FEKFRSRV FEKFSCMD FEKFSEND FEKFSSL  FEKFSTUP
FEKFT000 FEKFT001 FEKFT002 FEKFT003 FEKFT004 FEKFT005 FEKFT006
FEKFT007 FEKFT008 FEKFT009 FEKFT010 FEKFT011 FEKFTIVP FEKFTRKS
FEKFTSO  FEKFUTIL FEKFVERS FEKFXITA FEKFXITL FEKFZME  FEKFZMF
FEKFZOS  FEKHCONF FEKHCUST FEKHDEB  FEKHDESC FEKHFLOW FEKHGEN
FEKHISPF FEKHIVP  FEKHIVPD FEKHJESJ FEKHMAIN FEKHMIGO FEKHOPTE
FEKHOPTN FEKHPRIM FEKHRSE1 FEKHRSEO FEKHSTRT FEKHTAB1 FEKHTAB2
FEKINIT  FEKKEYS  FEKLOGR  FEKLOGS  FEKM00   FEKM01   FEKM02
FEKMKDIR FEKMOUNT FEKMSGC  FEKMSGS  FEKRACF  FEKRSED  FEKSAPF
FEKSAPPL FEKSBPX  FEKSCLAS FEKSCLOG FEKSCMD  FEKSCPYM FEKSCPYU
FEKSDSN  FEKSENV  FEKSETUP FEKSISPF FEKSJCFG FEKSJCMD FEKSJMON
FEKSLPA  FEKSPROG FEKSPTKT FEKSRSED FEKSSERV FEKSSTC  FEKSSU
FEKSUSER FEKXCFGE FEKXCFGI FEKXCFGM FEKXCFGT FEKXMAIN FEKXML

    



Fix information


    

  • Fixed component name
    EXP FOR Z/OS HO
    • 

  • Fixed component ID
    5655EXP23
    • 



Applicable component levels


    

  • R310  PSY  UI58187
       UP18/09/26  P  F809
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSBDYH","label":"IBM Explorer for z\/OS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"310","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"310","Edition":"","Line of Business":{"code":"","label":""}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            02 October 2018
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback