IBM Support

IZE0106E when using AT-TLS to connect CICS Explorer to CICS TS 5.2

Question & Answer


Question

Why am I receiving messages IZE0106E and DFHWB0114 when using TLS and trying to connect from CICS Explorer Version 5.2.0.5 [build id:20150908-1632] to CICS Transaction Server for z/OS (CICS TS) V5.2? I think I need help setting up AT-TLS in CICS TS V5.2. I have ENCRYPTION=ALL specified in the CICS System Initialization table (SIT) parameters. If I specify SSL=NO in TCPIPService definition, everything works fine.

When trying to connect to CICS, I receive the following message from CICS Explorer: 

 IZE0106E Connect Failed with error "Possible ssl connection Failure. 
 Configuration specified ssl=true,original exception was unrecognized 
 ssl message, plaintext connection?

In the CICS region, I see the following message:

  DFHWB0114 mm/dd/yyyy hh:mm:ss CWXN A non-HTTP request has been 
  received  by an HTTP service. The request has been rejected.           
  Host IP address: xxx.xxx.xxx.xxx. Client IP address: yyy.yyy.yyy.yyy.         
  TCPIPSERVICE: <name>

Answer

First of all, do not confuse Transport Layer Security (TLS) with Application Transparent Transport Layer Security (AT-TLS). TLS is follow-on to SSL with a new name. AT-TLS provides encryption and decryption of data based on policy statements that are coded in the Policy Agent. All encryption and decryption data is done outside of the CICS address space. There is no way you can setup AT-TLS using CICS Explorer.

Prior to CICS TS V5.3, CICS is AT-TLS unaware that AT-TLS is encrypting or decrypting data. The AT-TLS Basic mode is the only mode that can be used in earlier releases of CICS V5.2. A CICS TCPIPSERVICE would be defined with SSL(NO) as CICS is not encrypting or decrypting the data, which flows on the socket.

From CICS TS V5.3, CICS is AT-TLS aware, TCPIPSERVICE is defined with SSL(ATTLSAWARE) and PROTOCOL(HTTP). CICS issues an AT-TLS query to obtain information such as AT-TLS security status, negotiated CIPHER suite, partner certificate, and derived RACF user ID.

See the following tables in the section Introduction to Application Transparent Transport Layer Security (AT-TLS) of the CICS TS V5.3 documentation:

  • Table 1: Detailed description of AT-TLS modes and their CICS support

  • Table 2: Combinations for AT-TLS policy for the port and CICS TCPIPService

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"Security","Version":"5.2","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

CICS/TS CICSTS CICS TS CICS Transaction Server

Document Information

Modified date:
10 March 2016

UID

dwa1257143

Page Feedback