TN3270 is rejecting SSL connection with RCODE 6002 and PARM1 19C

Question & Answer

Question

We just did an IPL and TN3270 is now rejecting SSL connections. I turned on debug mode and the following message appeared:
EZZ6035I TN3270 DEBUG CONN DETAIL
IP..PORT: ipaddr..port
CONN: connid LU: MOD: EZBTTSMT
RCODE: 6002-00 SSL/TLS handshake failed.
PARM1: 0000019C PARM2: 00000000 PARM3: GSK_SECURE_SOCKET_INIT

Answer

The code on the PARM1 = 19C (412) means - SSL protocol or certificate type not supported.
.
As per the SSL Programming Guide
.
412 SSL protocol or certificate type is not supported.
.
Explanation: The SSL handshake is not successful due to an unsupported protocol or certificate type. This error can occur if there is no enabled SSL protocol shared by both the client and the server.
User Response: Ensure that the desired SSL protocol is enabled on both the client and the server. . This error can occur after installation of APAR/PTF PI28679 / UI23660. This is included in RSU 1506 and above, shipped with z/OS 2.1.
.
Starting in 2.1, z/OS CS has changed its default protocol support for all components that use SSL/TLS, either through AT-TLS or natively. z/OS CS provides means for exploiters (installations and/or applications) that must continue to utilize SSLv3. The protocol must be explicitly enabled. SSLV3 is disabled by default, which can affect the usage of AT-TLS, the FTP client and server, the TN3270 server, the DCAS server, Policy Agent, and sendmail.
.
The fact that you will now need to explicitly enable SSLV3 for TN3270 to continue using AT-TLS in V2R1 is documented in the V2R1 z/OS Migration Guide.

Here is the key information at that link: .
TN3270 server
The TN3270 server is modified to disable SSLV3 by default when SECUREPORT is specified. In this mode, the TN3270 server uses System SSL APIs natively for its SSL/TLS protection, rather than AT-TLS.
.
Because the TN3270 server has historically enabled SSLV3 by default, evaluate whether your server is supporting clients that require SSLV3. If so, enable SSLV3 by specifying the new SSLV3 statement in the relevant TN3270 profile data set and refreshing the configuration using VARY TCPIP,tnproc,OBEYFILE command.
.
If TTLSPORT is specified, the TN3270 server is protected by AT-TLS, so the changes described under the AT-TLS function apply.

To resolve this problem you need to define SSLv3 in the TN3270 profile:

.
1. Code the SSLV3 statement in the TELNETGLOBALS,TELNETPARMS, or PARMSGROUP statement block.
.
2. either recycle the Telnet server or use the obeyfile command to make the change dynamically.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

ZOSCS COMMSERVER

Was this topic helpful?

Document Information

Modified date:
14 December 2015

UID

dwa1243783

Tips