search cancel

CCITCP and CCITCPGW show as non-encrypted in monitors (zERT)

book

Article ID: 239796

calendar_today

Updated On:

Products

COMMON SERVICES FOR Z/OS

Issue/Introduction

You have been researching why the zERT tool views the two CCI tasks (CCISSL & CCISSLGW) as not encrypted when they actually are.

Based on trace information, the results show that the CCI tasks are not following SSL protocol.

Here is what is supposed to happen:  There is a TCP 3-way handshake that occurs, Syn, Syn Ack and then an Ack.  After that completes it expects to see the TLS/SSL handshake (Client/Server Hello and exchange). 

What’s happening is that after the TCP 3-way handshake the client is sending some bogus packets. 

IBM zERT’s is watching the TCP 3-way handshake and is looking for the next packet to be the Client Hello and instead it is seeing these bogus packets so it quits observing the connection and marks it as unencrypted.

Environment

Release : 15.0
Component : CAICCI MVS

Cause

After some research, including analyzing the packets using WireShark, we saw what is occurring.  Despite what zERT reports, we confirm that connections are indeed secured and the data is encrypted.

The CCISSL and CCISSLGW tasks are set up to be able to handle connections with many different combinations of parameters.  They are started with a list of connection parameters that they support, and then later set up an individual connection based on what the client task supports.  This way, the same task can handle incoming connections for both secure and unsecure connections if desired.

To do this, we accept all connections unsecured.  This is where we see the TCP handshake.  Followed by this, the two CCI tasks send a message to each other to communicate the desired parameters of the connection.  Once both the client and server know how to proceed, if they agree on an encrypted connection then a Client-Hello message will be sent to start the TLS handshake.

The zERT tool only seems to check the connection immediately after the initial TCP handshake to see if there was a Client-Hello message.  Since this did not happen, it is marked as unsecure even though the TLS handshake occurs shortly after.

Resolution

CCS PTF LU05566 has been published to add an API call in CCISSLGW/CCISSL to notify zERT before each handshake.

Additional Information

zERT is an optional reporting tool that must be enabled in the TCP/IP stack to utilize it.