AT/TLS config:
TcpImage TCPIP /etc/pagent.conf FLUSH PURGE
##LogLevel 31 ## Default logging level.
##LogLevel 511 ## gives the most verbose logging
LogLevel 32 ## Be verbose - Default is 31.
ServicesConnection
{
Port 16311
ImageName TCPIP
Security Basic
}
AutoMonitorParms
{
MonitorInterval 86400 ## 24 hours.
RetryLimitCount 5
RetryLimitPeriod 86400 ## 24 hours.
}
AutoMonitorApps
{
AppName SYSLOGD
{
ProcName SYSLOGD
JobName SYSLOGD
StartParms -c
}
}
PAGENT_CONFIG_FILE=/etc/pagent.conf
PAGENT_LOG_FILE=/var/log/pagent.log
PAGENT_LOG_FILE_CONTROL=500,5
TZ=EST5EDT
-----Original Message-----
From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Joe
Monk
Sent: Monday, November 16, 2020 8:07 AM
To: [email protected]
Subject: Re: Need some help with SSL error
This message was sent from an external source outside of Western & Southern's
network. Do not click links or open attachments unless you recognize the sender
and know the contents are safe.
________________________________________________________________________________________________________________________
Sorry ... my email client cut off the ATTLS parms and I didnt see them.
Joe
On Mon, Nov 16, 2020 at 7:06 AM Joe Monk <[email protected]> wrote:
> Error 100B:
>
> 100B Unexpected SSL handshake encountered.An SSL handshake header was
> encountered on a basic port or the client immediately entered an SSL
> handshake for a CONNTYPE option value other than SECURE or ANY. Verify
> that the client and port settings are compatible.
> A quick google found this:
>
>
> https://www.ibm.com/support/pages/zos-communications-server-tls-needed
> -implement-tls-v12
>
> Joe
>
>
>
>
> On Mon, Nov 16, 2020 at 6:27 AM Edgington, Jerry <
> [email protected]> wrote:
>
>> I need some help, please. We have an automated system, using TN3270
>> screen scraping. Over the weekend, we IPL'ed, first time in April,
>> 2020 and now, when this "automated" system/client tries to connect
>> over TN3270, we are getting this error message:
>>
>> M 4100000 aaaa 20320 14:22:03.02 STC09624 00000090 EZZ6034I TN3270
>> CONN 0000025C LU **N/A** CONN DROP ERR 100B 864
>> E 864 00000090 IP..PORT:
>> ::FFFF:xx.xx.xx.xx..53084 EZBTTRCV
>>
>> The AT/TLS policy has changed since August, 2020. And we only have
>> TLS
>> v1.2 turned on for only specific inbound IP addresses. We are
>> running z/OS v2.1, at this point
>>
>> Any suggestions, help or ideas, would be great.
>>
>> Thanks,
>> Jerry Edgington
>>
>> Here is the AT/TLS policy. I have masked the names for security reasons.
>> ##-------------------------------------------------------------------
>> ## Rules for yyy servers using xxxxxx IP over port 923
>> ##-------------------------------------------------------------------
>> TTLSRule yyy-xxxxxx-SSL
>> {
>> LocalAddrGroupRef xxxxx-Ip-Addr
>> RemoteAddrGroupRef yyy-Server-IpAddr
>> LocalPortRange 923
>> RemotePortRangeRef Port-Remote
>> Direction Inbound
>> Priority 500
>> TTLSGroupActionRef gAct1
>> TTLSEnvironmentActionRef eAct1
>> TTLSConnectionActionRef cAct-xxxxx
>> }
>>
>> TTLSConnectionAction cAct-xxxxx
>> {
>> HandshakeRole Server
>> TTLSCipherParmsRef cipher1~Default_Ciphers
>> TTLSConnectionAdvancedParmsRef cAdv-xxxxxx
>> CtraceClearText Off
>> Trace 7
>> }
>>
>> TTLSConnectionAdvancedParms cAdv-xxxx
>> {
>> HandshakeTimeout 30
>> CertificateLabel ATTLS
>> SecondaryMap Off
>> TLSv1.2 On
>> ApplicationControlled On
>> }
>>
>> TTLSEnvironmentAction eAct1
>> {
>> HandshakeRole Server
>> EnvironmentUserInstance 0
>> TTLSKeyringParmsRef keyR~ZOS112
>> }
>>
>>
>> ##-------------------------------------------------------------------
>> ## IP Address for yyy Servers
>> ##-------------------------------------------------------------------
>> IpAddrGroup yyy-Server-IpAddr {
>> IpAddr
>> {
>> Addr xx.xx.xx.xx
>> }
>> }
>>
>> ##-------------------------------------------------------------------
>> ## Ports Remote
>> ##-------------------------------------------------------------------
>> PortRange Port-Remote
>> {
>> Port 1024-65535
>> }
>>
>> ---------------------------------------------------------------------
>> - For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to [email protected] with the message: INFO
>> IBM-MAIN
>>
>
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
[email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
