Question & Answer
Question
I am trying to set up ATTLS with a TN3270 session and I used Configuration Assistant to set a policy rule. I chose the IBM Bronze Level and I am getting this error message with a return code of 402.
EZD1286I TTLS Error GRPID: gid ENVID: eid CONNID: cid LOCAL: loc_ip..loc_port REMOTE: rem_ip..rem_port JOBNAME: jobname USERID: userid RULE: rule RC: 402 Initial Handshake 00000000 7EB6E278
I am using the IBM supplied AT-TLS_Bronze.
TTLSCipherParms cipher1~AT-TLS__Bronze
{
V3CipherSuites TLS_RSA_WITH_NULL_SHA
How can I find out what cipher suite the server will accept?
Answer
Return code 402 on message EZD1286I indicates that a cipher suite could not be agreed upon between the client and server.
You need to find out what cipher suites the server supports.
For instance, consider the case where the server supports only the following cipher suites,
TLS_RSA_WITH_RC4_128_MD5 (0x04)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x0A)
TLS_RSA_WITH_DES_CBC_SHA (0x09)
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x06)
TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x03)
With Bronze selected you are attempting to use the NULL cipher:
0x02 - TLS_RSA_WITH_NULL_SHA
The null cipher is not one of the server's supported ciphers.
To view the ciphers supported by each security level in the GUI: Under Work with Reusable Objects select Security Level. Then select the security level you are interested in and click view details. This will bring up a list of the supported ciphers and which cipher will be tried first.
Platinum:
0x35 - TLS_RSA_WITH_AES_256_CBC_SHA
Gold:
0x0A - TLS_RSA_WITH_3DES_EDE_CBC_SHA (first choice)
0x2F - TLS_RSA_WITH_AES_128_CBC_SHA
Silver:
0x09 - TLS_RSA_WITH_DES_CBC_SHA (first choice)
0x0A - TLS_RSA_WITH_3DES_EDE_CBC_SHA
0x2F - TLS_RSA_WITH_AES_128_CBC_SHA
Bronze:
0x02 - TLS_RSA_WITH_NULL_SHA
So, from the cipher list that the server is supporting you should select either Silver or Gold.
Product Synonym
ZOSCS COMMSERVER
Was this topic helpful?
Document Information
Modified date:
30 September 2015
UID
dwa1230474