Portal | Manuals | References | Downloads | Info | Programs | JCLs | Master the Mainframes
IBM Mainframe Computers Forums Index
 
Register
 
IBM Mainframe Computers Forums Index Mainframe: Search IBM Mainframe Forum: FAQ Memberlist Usergroups Profile Log in to check your private messages Log in
 

 

Problem with Secure Telnet in SSL

 
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> All Other Mainframe Topics
View previous topic :: :: View next topic  
Author Message
Davide

New User


Joined: 27 Mar 2008
Posts: 6
Location: Milano

PostPosted: Thu Mar 26, 2009 4:04 am    Post subject: Problem with Secure Telnet in SSL
Reply with quote

Hi to all,
we are in ZOS 1.9 and we have a problem with our Secure Telnet in SSL,
the messages are:

STC08854 EZZ6035I TELNET DEBUG DETAIL CLIENT 927
IP..PORT: 10.88.1.129..26218
CONN: 0044EDB7 LU: MOD: EZBTTSMT
RCODE: 6002-00 SSL/TLS handshake failed.
PARM1: 000001F7 PARM2: 00000000 PARM3: GSK_SECURE_SOCKET_INIT

What can I do? What can I check?

Thanks!
Davide
Back to top
View user's profile Send private message

dick scherrer

Site Director


Joined: 23 Nov 2006
Posts: 19270
Location: Inside the Matrix

PostPosted: Thu Mar 26, 2009 4:36 am    Post subject:
Reply with quote

Hello,

Did you recently upgrade anything?

Is that a valid ip address? What happens if you try to PING that ip address?

Have you talked with your network support people?
Back to top
View user's profile Send private message
Davide

New User


Joined: 27 Mar 2008
Posts: 6
Location: Milano

PostPosted: Thu Mar 26, 2009 4:47 am    Post subject:
Reply with quote

Hello,

Did you recently upgrade anything?
Last month from ZOS 1.7 to ZOS 1.9

Is that a valid ip address?
Yes it is!

What happens if you try to PING that ip address?
The PING is not authorized from our Firewall

Have you talked with your network support people?
About what?

Thanks!!!!
Back to top
View user's profile Send private message
Robert Sample

Global Moderator


Joined: 06 Jun 2008
Posts: 8119
Location: East Dubuque, Illinois, USA

PostPosted: Thu Mar 26, 2009 5:04 am    Post subject:
Reply with quote

I found an IBM Troubleshooting Technote that might apply:
Quote:
Cause
Error code 6002 reported in the message indicates that the SSL handshake process performed between the server and the client failed. This handshake for the server is performed by the System SSL component of z/OS, and can indicate a problem with the certificates being used (either locally or by the client system) or the SSL configuration. Some common causes are as follows:

* Expired certificates such as:
o server certificate
o the client certificate (if CLIENTAUTH is configured)
o any of the certificates used in signing these.
* When using a locally created (self-signed) certificate instead of a well-known certificate authority, that root certificate must be available and marked as trusted on the keyring of both the client and server.

* The server certificate must be on the keyring, marked as the default certificate and must contain the private key.


Diagnosing the problem
Enable DEBUG DETAIL in the applicable Telnet parameters section (TELNETGLOBALS, TELNETPARMS, or PARMSGROUP). When a subsequent failure occurs, an EZZ6035I message will be generated with additional details about the failure: EZZ6035I TELNET DEBUG DETAIL CLIENT 101 IP..PORT: aa.bb.cc.dd..ppp CONN: xxxxxxxx LU: MOD: EZBTTSMT RCODE: 6002-00 SSL/TLS handshake failed. PARM1: nnnnnnnn PARM2: 00000000 PARM3: GSK_rrrrrrrrrrrr
The PARM1 value (which is in hexadecimal) will be the SSL Function Return Code indicating the nature of the failure. PARM3 identifies the System SSL API call that returned this failure. The most common routines are:

* GSK_ENVIRONMENT_INIT, which is most likely due to setup or access (SAF/RACF) to the specified KEYRING.
* GSK_SECURE_SOCKET_INIT, which is likely due to a rejection of (one of) the certificate(s) being used.

Additional diagnostic data can be obtained by collecting a System SSL trace. The GSKSRVR CTRACE must be used to capture this, which requires having the GSKSRVR started task active before starting TN3270 (or TCPIP, if running the server in the stack). The sample proc provided in the SGSKSAMP library can be used without modification if no other features are going to be enabled.

Review the certificates being accessed on both the server and the affected clients. If using a Unix Key Database, then the gskkyman command should be used to report the certificate contents. If using RACF keyrings to store the certificates, then the RACDCERT command (from an appropriately authorized user) should be used. For clients or security products from other vendors, consult their documentation.
Back to top
View user's profile Send private message
dick scherrer

Site Director


Joined: 23 Nov 2006
Posts: 19270
Location: Inside the Matrix

PostPosted: Thu Mar 26, 2009 5:09 am    Post subject:
Reply with quote

Hello,

Quote:
Have you talked with your network support people?
About what?
About resolving the handshake problem. . . In many (most) organizations, connection problems are handled by network support.

Quote:
Did you recently upgrade anything?
Last month from ZOS 1.7 to ZOS 1.9
And this worked correctly during testing?

What is trying to connect that fails? Some desktop?
Back to top
View user's profile Send private message
Davide

New User


Joined: 27 Mar 2008
Posts: 6
Location: Milano

PostPosted: Thu Mar 26, 2009 6:27 am    Post subject:
Reply with quote

Hi,

About resolving the handshake problem. . . In many (most) organizations, connection problems are handled by network support.

the ip add. arrive on mainfraime so there is no problem on the network

Quote:
Did you recently upgrade anything?
Last month from ZOS 1.7 to ZOS 1.9
And this worked correctly during testing?
Yes and other customers with different ip add. work on this server


What is trying to connect that fails? Some desktop?
It is a pc with an emulator like Personal Communication of IBM.
Back to top
View user's profile Send private message
Robert Sample

Global Moderator


Joined: 06 Jun 2008
Posts: 8119
Location: East Dubuque, Illinois, USA

PostPosted: Thu Mar 26, 2009 7:01 am    Post subject:
Reply with quote

Is CLIENTAUTH configured? If so, does the PC have a signed certificate? Since it's only the one machine having the problem, that points pretty strongly to the issue being something related to the PC, it's certificates, and it's SSL connections.
Back to top
View user's profile Send private message
Davide

New User


Joined: 27 Mar 2008
Posts: 6
Location: Milano

PostPosted: Thu Mar 26, 2009 7:08 am    Post subject:
Reply with quote

Is CLIENTAUTH configured? If so, does the PC have a signed certificate?

Yes and it have a certificate of Verisign

Since it's only the one machine having the problem, that points pretty strongly to the issue being something related to the PC, it's certificates, and it's SSL connections.

Thanks!!
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> All Other Mainframe Topics All times are GMT + 6 Hours
Page 1 of 1

 

Search our Forum:

Similar Topics
Topic Author Forum Replies Posted
No new posts Strings with double quotes having pro... raja Arumugam All Other Mainframe Topics 11 Thu Mar 30, 2017 10:34 am
No new posts Problem reading GTF trace output danik56 ABENDS & Debugging 7 Thu Mar 16, 2017 1:02 pm
No new posts ROUNDED Problem with COMPUTE statement shalem COBOL Programming 11 Thu Feb 09, 2017 8:16 pm
No new posts SYMNAMES problem jacobdng DFSORT/ICETOOL 7 Thu Dec 22, 2016 7:47 am
No new posts Problem in writing Output file vickey_dw COBOL Programming 5 Mon Nov 14, 2016 11:14 pm


Facebook
Back to Top
 
Mainframe Wiki | Forum Rules | Bookmarks | Subscriptions | FAQ | Tutorials | Contact Us