IBM Support

FTP fails with EZA2897I Authentication negotiation failed message

Question & Answer


Question

Attempts to use FTP to certain servers fail with the following messages:

 EZA1701I >>> AUTH TLS 
 234 AUTH TLS successful
 EZA2897I Authentication negotiation failed
 EZA2898I Unable to successfully negotiate required authentication
 EZA1735I Std Return Code = 10234, Error Code = 00017

With tracing enabled, the following message is also generated:

 FCxxxx authServer: secure_socket_init failed with rc = 410 (SSL message format is incorrect)

Connections to other servers using SSL are successful.

Answer

Collecting a System SSL trace also shows the following:

 Thd-0 INFO send_v3_client_hello(): Sent V3 CLIENT-HELLO message
 Thd-0 INFO gsk_write_v3_record(): Calling write routine for xx bytes
 Thd-0 INFO gsk_write_v3_record(): xx bytes written
 Thd-0 INFO gsk_read_v3_record(): Calling read routine for 5 bytes
 Thd-0 INFO gsk_read_v3_record(): 5 bytes received
 Thd-0 INFO gsk_read_v3_record(): Calling read routine for xx bytes
 Thd-0 INFO gsk_read_v3_record(): xx bytes received
 Thd-0 INFO read_v3_server_hello(): Received SERVER-HELLO message
 Thd-0 INFO read_v3_server_hello(): Creating new session for connection with aa.bb.cc.dd[21]
 Thd-0 INFO read_v3_server_hello(): Session identifier ....
 Thd-0 INFO read_v3_server_hello(): Using TLSV1 protocol
 ...
 Thd-0 INFO gsk_read_v3_record(): Calling read routine for 5 bytes
 Thd-0 INFO gsk_read_v3_record(): 5 bytes received
 Thd-0 INFO gsk_read_v3_record(): Calling read routine for 14 bytes
 Thd-0 INFO gsk_read_v3_record(): 14 bytes received
 Thd-0 INFO read_v3_certificate_request(): Received CERTIFICATE-REQUEST message
 Thd-0 ASCII read_v3_certificate_request(): CERTIFICATE-REQUEST message
         00000000:  0d000006 03010240 0000               *.......@..      *
 Thd-0 ERROR read_v3_certificate_request(): CA names omitted
 Thd-0 ERROR send_v3_alert(): Sent SSL V3 alert 47 to aa.bb.cc.dd[21]
 Thd-0 INFO gsk_write_v3_record(): Calling write routine for 7 bytes
 Thd-0 INFO gsk_write_v3_record(): 7 bytes written
 Thd-0 ERROR gsk_secure_socket_init(): SSL V3 client handshake failed with aa.bb.cc.dd[21]

The key aspects in this exchange are that the TLSv1 protocol is being used, the server is sending a Certificate Request (request for a (possibly optional) client certificate), but there is no list of valid Certificate Authority names. The v1 protocol requires that such requests include a CA list and System SSL on z/OS strictly enforces that requirement, thus the handshake failure with the SSL Alert 47 being returned.

The solution is to either:

  • Contact the server system's administrator to either configure it to not request a client certificate or contact the software vendor to get an update to correct the message being sent.

  • OR, Update the local client to use a later TLS protocol. Higher levels of the TLS protocol no longer require the CA list on a Certificate Request message. The z/OS FTP client does not support higher protocol in 'native SSL' mode, you will need to upgrade to using an AT-TLS policy for these connections with TLSV1.1 or TLSV1.2 enabled (and TLSv1 disabled).

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

ZOSCS COMMSERVER

Document Information

Modified date:
09 May 2018

UID

dwa1446857