A fix is available
APAR status
Closed as program error.
Error description
If an SSL connection does not complete its SSL handshake, subsequent SSL connection attempts are not processed and have to wait. Eventually the TCP/IP backlog limit is reached and subsequent SSL connection attempts are rejected immediately. In this situation NETSTAT shows that many connections are in CLOSE-WAIT state. Additional search words: ClosWait ClosWt CLOSEWAIT CLOSE_WAIT
Local fix
The connection causing the problem is in ESTABLISHED state, but no data has been transferred. Terminating this connection allows waiting connections to complete their SSL handshake.
Problem summary
**************************************************************** * USERS AFFECTED: All users of CICS TG with SSL connections * * from client applications. * **************************************************************** * PROBLEM DESCRIPTION: CICS TG stops processing SSL * * connection * **************************************************************** * RECOMMENDATION: * **************************************************************** When the SSL handshake on an SSL connection was delayed on the client side, subsequent SSL connection attempts were queued while they waited for the delayed SSL handshake to complete. NETSTAT showed these connections in ESTABLISHED state. If the TCP/IP backlog limit was reached, subsequent SSL connection attempts failed immediately and the waiting connections were left in CLOSE-WAIT state. The SSL protocol handler parameter connecttimeout was not effective for SSL handshaking. SSL handshakes would wait indefinitely if the client side did not complete the handshake.
Problem conclusion
CICS TG has been changed so that the SSL handshake time is included in the value specified for the SSL protocol handler connecttimeout parameter. After applying the PTF for this APAR, it might be necessary to adjust the value specified for the SSL protocol handler connecttimeout parameter to allow SSL handshakes to complete. If the connecttimeout is set to zero, to ensure that a connection is refused if a ConnectionManager thread is not immediately available, the timeout value use for the SSL handshake is set to 2 seconds by default. If connection logging is active and the SSL handshake exceeds the set timeout value the following message is logged: CTG6566W Remote client <client_details> timed out during SSL handshake, connecttimeout is set to <connecttimeout> ms
Temporary fix
Comments
APAR Information
APAR number
PM23548
Reported component name
CTG V8 FOR Z/OS
Reported component ID
5655W1000
Reported release
800
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2010-09-30
Closed date
2011-03-16
Last modified date
2015-10-01
APAR is sysrouted FROM one or more of the following:
PM18492
APAR is sysrouted TO one or more of the following:
UK65825
Modules/Macros
CTG00201 CTG00204 CTG00585
Fix information
Fixed component name
CTG V8 FOR Z/OS
Fixed component ID
5655W1000
Applicable component levels
R800 PSY UK65825
UP11/03/22 P F103
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMJ2","label":"CICS Transaction Gateway"},"Platform":[{"code":"PF054","label":"z Systems"}],"Version":"8.0","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]
Document Information
Modified date:
08 August 2024