RTC Build agent on z/OS SSL communication RC:410 and RC:420
Hi,
We have installed RTC Build Agent on z/OS. now we are planning to do SSL settings for Build agent.
This is Our SSL part of bfagent.conf
May use a gskkyman key database instead of SAF keyring
gsk_ssl_key_location /etc/jazz405/ccm/bfagentssl.kdb
gsk_ssl_kdb_password 93a2686a707787d400f7f2d401194145b4e0c3cb695d0e1b58ec
gsk_keyring_label bfacert
gsk_ssl_protocol ALL
gsk_ssl_cipher_v2 6321
gsk_ssl_cipher_v3 0906030201
gsk_ssl_client_authentication false
gsk_password_encrypt true
We are getting the below error, when we test the connection on the bfagent.log debug.
Sat Jun 14 18:32:33 2014 [16842915] main.c : 519: === STARTING DAEMON PROCESS ===
Sat Jun 14 18:32:34 2014 [16842915] bf_ipv6.c : 780: bf_listener_new: [0.0.0.0/5555] listening
Sat Jun 14 18:32:34 2014 [16842915] daemon.c : 53: background: orphaning daemon
Sat Jun 14 18:32:34 2014 [16842915] daemon.c : 45: --- EXITING --- (create orphan)
Sat Jun 14 18:32:34 2014 [ 65700] daemon.c : 45: --- EXITING --- (create orphan)
Sat Jun 14 18:32:41 2014 [33620131] daemon.c : 131: [/5555] accepting [161.178.198.170/49830] (161.178.198.170)
Sat Jun 14 18:32:41 2014 [33620131] daemon.c : 156: [161.178.198.170/49830]: attached to pid 16842916
Sat Jun 14 18:32:41 2014 [16842916] daemon.c : 149: === NEW AGENT ===
Sat Jun 14 18:32:41 2014 [16842916] platform.c : 192: ICONV ok [IBM-1047]
Sat Jun 14 18:32:41 2014 [16842916] platform.c :2132: LOCALE ok [] -> [C]
Sat Jun 14 18:32:41 2014 [16842916] io.c : 482: In start_SSL : initialize system ssl environment
Sat Jun 14 18:32:41 2014 [16842916] io.c : 291: gsk_ssl_kdb_password : 93a2686a707787d400f7f2d401194145b4e0c3cb695d0e1b58ec
Sat Jun 14 18:32:41 2014 [16842916] bfcryptloader.c : 569: Password decoded.
Sat Jun 14 18:32:41 2014 [16842916] io.c : 300: decode_password :***
Sat Jun 14 18:32:42 2014 [16842916] io.c : 365: SSL ssl_key_location=/etc/jazz405/ccm/bfagentssl.kdb
Sat Jun 14 18:32:42 2014 [16842916] io.c : 378: SSL decode_password=
Sat Jun 14 18:32:42 2014 [16842916] io.c : 415: Server: Setting protocol to all.
Sat Jun 14 18:32:42 2014 [16842916] io.c : 418: SSL ssl_key_ring_label=bfacert
Sat Jun 14 18:32:42 2014 [16842916] io.c : 430: SYSTEM SSL env init ok
Sat Jun 14 18:32:42 2014 [16842916] io.c : 496: Calling secure socket open
Sat Jun 14 18:32:42 2014 [16842916] io.c : 517: SSL GSK_SESSION_TYPE=GSK_SERVER_SESSION
Sat Jun 14 18:32:42 2014 [16842916] io.c : 524: SSL cipher_specs_V2=6321
Sat Jun 14 18:32:42 2014 [16842916] io.c : 529: SSL cipher_specs_V3=0906030201
Sat Jun 14 18:32:42 2014 [16842916] io.c : 533: Calling gsk_secure_socket_init() to start ssl handshake with client.
Sat Jun 14 18:34:05 2014 [33620131] daemon.c : 131: [*/5555] accepting [10.26.125.254/17502] (10.26.125.254)
Sat Jun 14 18:34:06 2014 [33620131] daemon.c : 156: [10.26.125.254/17502]: attached to pid 65702
Sat Jun 14 18:34:06 2014 [ 65702] daemon.c : 149: === NEW AGENT ===
Sat Jun 14 18:34:06 2014 [ 65702] platform.c : 192: ICONV ok [IBM-1047]
Sat Jun 14 18:34:06 2014 [ 65702] platform.c :2132: LOCALE ok [] -> [C]
Sat Jun 14 18:34:06 2014 [ 65702] io.c : 482: In start_SSL : initialize system ssl environment
Sat Jun 14 18:34:06 2014 [ 65702] io.c : 291: gsk_ssl_kdb_password : 93a2686a707787d400f7f2d401194145b4e0c3cb695d0e1b58ec
Sat Jun 14 18:34:06 2014 [ 65702] bfcryptloader.c : 569: Password decoded.
Sat Jun 14 18:34:06 2014 [ 65702] io.c : 300: decode_password :
Sat Jun 14 18:34:06 2014 [ 65702] io.c : 365: SSL ssl_key_location=/etc/jazz405/ccm/bfagentssl.kdb
Sat Jun 14 18:34:06 2014 [ 65702] io.c : 378: SSL decode_password=
Sat Jun 14 18:34:06 2014 [ 65702] io.c : 415: Server: Setting protocol to all.
Sat Jun 14 18:34:06 2014 [ 65702] io.c : 418: SSL ssl_key_ring_label=bfacert
Sat Jun 14 18:34:06 2014 [ 65702] io.c : 430: SYSTEM SSL env init ok
Sat Jun 14 18:34:06 2014 [ 65702] io.c : 496: Calling secure socket open
Sat Jun 14 18:34:06 2014 [ 65702] io.c : 517: SSL GSK_SESSION_TYPE=GSK_SERVER_SESSION
Sat Jun 14 18:34:06 2014 [ 65702] io.c : 524: SSL cipher_specs_V2=6321
Sat Jun 14 18:34:06 2014 [ 65702] io.c : 529: SSL cipher_specs_V3=0906030201
Sat Jun 14 18:34:06 2014 [ 65702] io.c : 533: Calling gsk_secure_socket_init() to start ssl handshake with client.
Sat Jun 14 18:37:41 2014 [33620131] daemon.c : 131: [*/5555] accepting [10.26.125.254/17660] (10.26.125.254)
Sat Jun 14 18:37:41 2014 [16842916] io.c : 536: SSL_accept rc=410 (0 is good, >=1 is handshake failure or fatal)
Sat Jun 14 18:37:41 2014 [16842916] io.c : 539: SSLErrorHandshake: failed to Call gsk_secure_socket_init() to.
Sat Jun 14 18:37:41 2014 [16842916] agent.c : 761: cleanup
Sat Jun 14 18:37:41 2014 [33620131] platform.c : 260: SIGCHLD(20) 16842916 -> bfdaemon: status=0
Sat Jun 14 18:37:41 2014 [33620131] daemon.c : 156: [10.26.125.254/17660]: attached to pid 65705
Sat Jun 14 18:37:41 2014 [ 65705] daemon.c : 149: === NEW AGENT ===
Sat Jun 14 18:37:41 2014 [ 65705] platform.c : 192: ICONV ok [IBM-1047]
Sat Jun 14 18:37:41 2014 [ 65705] platform.c :2132: LOCALE ok [] -> [C]
Sat Jun 14 18:37:41 2014 [ 65705] io.c : 482: In start_SSL : initialize system ssl environment
Sat Jun 14 18:37:41 2014 [ 65705] io.c : 291: gsk_ssl_kdb_password : 93a2686a707787d400f7f2d401194145b4e0c3cb695d0e1b58ec
Sat Jun 14 18:37:41 2014 [ 65705] bfcryptloader.c : 569: Password decoded.
Sat Jun 14 18:37:41 2014 [ 65705] io.c : 300: decode_password :
Sat Jun 14 18:37:42 2014 [ 65705] io.c : 365: SSL ssl_key_location=/etc/jazz405/ccm/bfagentssl.kdb
Sat Jun 14 18:37:42 2014 [ 65705] io.c : 378: SSL decode_password=**
Sat Jun 14 18:37:42 2014 [ 65705] io.c : 415: Server: Setting protocol to all.
Sat Jun 14 18:37:42 2014 [ 65705] io.c : 418: SSL ssl_key_ring_label=bfacert
Sat Jun 14 18:37:42 2014 [ 65705] io.c : 430: SYSTEM SSL env init ok
Sat Jun 14 18:37:42 2014 [ 65705] io.c : 496: Calling secure socket open
Sat Jun 14 18:37:42 2014 [ 65705] io.c : 517: SSL GSK_SESSION_TYPE=GSK_SERVER_SESSION
Sat Jun 14 18:37:42 2014 [ 65705] io.c : 524: SSL cipher_specs_V2=6321
Sat Jun 14 18:37:42 2014 [ 65705] io.c : 529: SSL cipher_specs_V3=0906030201
Sat Jun 14 18:37:42 2014 [ 65705] io.c : 533: Calling gsk_secure_socket_init() to start ssl handshake with client.
Sat Jun 14 18:37:42 2014 [ 65705] io.c : 536: SSL_accept rc=420 (0 is good, >=1 is handshake failure or fatal)
Sat Jun 14 18:37:42 2014 [ 65705] io.c : 539: SSLErrorHandshake: failed to Call gsk_secure_socket_init() to.
Sat Jun 14 18:37:42 2014 [ 65705] agent.c : 761: cleanup
Sat Jun 14 18:37:42 2014 [33620131] platform.c : 260: SIGCHLD(20) 65705 -> bfdaemon: status=0
Please let us know what we are missing.
Regards,
Sathya
4 answers
Yes, I am aware about the newer digest type and stronger key length is required.
Could you please add
gsk_ssl_cipher_v3 0a
in your bfagent.conf file
Comments
Hi, Jean
Comments
Donald Nong
Jun 15 '14, 11:18 p.m.Check the corresponding error messages for the two return code.
http://publib.boulder.ibm.com/infocenter/zvm/v5r4/topic/com.ibm.zvm.v54.kijl0/hcsk7b3040.htm#wq211
RC 410 means "incorrectly-formatted message received from peer application". Maybe you can use tcpdump to capture the network traffic and see what was being transferred.
Sathya moorthy
Jun 16 '14, 2:08 a.m.Thanks Donald Nong. Yes i had found the reason code what it means for RC 410 and RC 420, but not sure why its happening. I'll check on tcpdump.
Regards,
Sathya
Eric Kung
Aug 24 '17, 9:10 p.m.Hi, Sathya,
Sathya moorthy
Aug 25 '17, 1:25 a.m.Hi Eric,
Yes, it was resolved and we were able to use TLS1.2. I'm not able to recollect them now. can you share your log and conf details.
Regards,
Sathya
Eric Kung
Aug 27 '17, 6:44 p.m.Hi, Sathya,
Sathya moorthy
Aug 28 '17, 11:14 a.m.I had a copy my conf file. I have enabled trace where you can get more info, reg the issue.
gsk_trace_file /tmp/rtc/gskssl.trc
gsk_trace 0xFF
gsk_ssl_key_location /etc/jazz405/ccm/bfagentssl.kdb
gsk_ssl_kdb_password 93a2686a707787d400f7f2d401194145b4e0c3cb695d0e1b58ec
gsk_keyring_label bfacert
gsk_ssl_protocol ALL
gsk_ssl_cipher_v2 6321
gsk_ssl_cipher_v3 0906030201
gsk_ssl_client_authentication false
gsk_password_encrypt true
You can comment this ssl_protocol TLSv1.2.
After the change, can you restart the build agent and check the logs and trace.
Regards,
Sathya
Eric Kung
Aug 28 '17, 7:13 p.m.Hi, Sathya,
Sathya moorthy
Aug 29 '17, 6:56 a.m.I don't have anymore access to the RTC Build agent. so i can't check the logs or issue commands. I'm answering to your questions based on my experience here.
I see on gsktrace shows the following:
ERROR gsk_dll_init_once(): Unable to load crypto DLL EDC5205S DLL module not found.
This means that the Security Level 3 FMID JCPT3D1 is not installed and that means you will only be able to use Base Security Level ciphers.
You will need to order FMID JCPT3D1 to use the stronger ciphers.
Are you doing everything on Mainframe or ADCD package?
Regards,
Sathya
Eric Kung
Aug 29 '17, 8:46 p.m.Hi, Sathya