IBM Support

PH55434: SSL0277E ON Z14 AND LATER WHEN ICSF SERVICE IS NOT STARTED

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • SSL0277E: SSL Handshake Failed, ICSF is not available. ECDHE and
TLS1.2 SHA-2 ciphers required ICSF, to be available

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:  Users of IBM HTTP Server on zOS             *
****************************************************************
* PROBLEM DESCRIPTION: IHS startup may make an incorrect       *
*                      determination that ICSF is              *
*                      available and use default SSL ciphers   *
*                      that require ICSF.                      *
*                      Each handshake will report:             *
*                      SSL0277E: SSL Handshake Failed, ICSF is *
*                      not available. ECDHE and                *
*                      TLS1.2 SHA-2 ciphers required ICSF, to  *
*                      be available                            *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
At startup, bin/envvars tries to detect whether System SSL will
be able to use ICSF for strong ciphers. This check has evolved
over time.
One of the checks involved reading a single byte from
/dev/random. When this check was first implemented, a successful
read required the ICSF service be active.  But on z14 and later,
/dev/random works even without ICSF.

    



Problem conclusion


    

  • The check for ICSF in bin/envvars was simplified. Instead of
checking if ICSF was available, IHS now checks to see if
`gskkyman` reports ICSF as unavailable.

This change takes affect on new instances (bin/install_ihs)
only. See bin/envvars-std for the changes related to the
IHS_ZOS_HAS_ICSF_ACCESS environment variable to incorporate into
an existing instance.

Note: n/a to 8.5.5 as this release does not adjust the defaults
based on whether ICSF is active.


The fix for this APAR is targeted for inclusion in IBM HTTP
Server fix packs 9.0.5.17. For more information, see
'Recommended Updates for WebSphere Application Server':
https://www.ibm.com/support/pages/node/715553

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH55434
    • 

  • Reported component name
    WAS IHS ZOS
    • 

  • Reported component ID
    5655I3510
    • 

  • Reported release
    850
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2023-06-27
    • 

  • Closed date
    2023-06-29
    • 

  • Last modified date
    2023-06-29
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WAS IHS ZOS
    • 

  • Fixed component ID
    5655I3510
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SG19M","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF054","label":"z Systems"}],"Version":"8.5"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            30 June 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback