APAR status
Closed as program error.
Error description
SSL0277E: SSL Handshake Failed, ICSF is not available. ECDHE and TLS1.2 SHA-2 ciphers required ICSF, to be available
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: Users of IBM HTTP Server on zOS * **************************************************************** * PROBLEM DESCRIPTION: IHS startup may make an incorrect * * determination that ICSF is * * available and use default SSL ciphers * * that require ICSF. * * Each handshake will report: * * SSL0277E: SSL Handshake Failed, ICSF is * * not available. ECDHE and * * TLS1.2 SHA-2 ciphers required ICSF, to * * be available * **************************************************************** * RECOMMENDATION: * **************************************************************** At startup, bin/envvars tries to detect whether System SSL will be able to use ICSF for strong ciphers. This check has evolved over time. One of the checks involved reading a single byte from /dev/random. When this check was first implemented, a successful read required the ICSF service be active. But on z14 and later, /dev/random works even without ICSF.
Problem conclusion
The check for ICSF in bin/envvars was simplified. Instead of checking if ICSF was available, IHS now checks to see if `gskkyman` reports ICSF as unavailable. This change takes affect on new instances (bin/install_ihs) only. See bin/envvars-std for the changes related to the IHS_ZOS_HAS_ICSF_ACCESS environment variable to incorporate into an existing instance. Note: n/a to 8.5.5 as this release does not adjust the defaults based on whether ICSF is active. The fix for this APAR is targeted for inclusion in IBM HTTP Server fix packs 9.0.5.17. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH55434
Reported component name
WAS IHS ZOS
Reported component ID
5655I3510
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-06-27
Closed date
2023-06-29
Last modified date
2023-06-29
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WAS IHS ZOS
Fixed component ID
5655I3510
Applicable component levels
[{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SG19M","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF054","label":"z Systems"}],"Version":"8.5"}]
Document Information
Modified date:
30 June 2023