Look at the pre-IPL TCPIP STC output, and compare to current. It was the messages in and around here that were bad
System SSL: SHA-1 crypto assist is available System SSL: SHA-224 crypto assist is available System SSL: SHA-256 crypto assist is available System SSL: SHA-384 crypto assist is available System SSL: SHA-512 crypto assist is available System SSL: DES crypto assist is available System SSL: DES3 crypto assist is available System SSL: AES 128-bit crypto assist is available System SSL: AES 256-bit crypto assist is available System SSL: AES-GCM crypto assist is available System SSL: Cryptographic accelerator is not available System SSL: Cryptographic coprocessor is available System SSL: Public key hardware support is available System SSL: Max RSA key sizes in hardware - signature 4096, encryption 4096, verification 4096 System SSL: ECC secure key support is available. Maximum key size 521 System SSL: ICSF Secure key PKCS11 support is not available System SSL: ICSF FMID is HCR77E0 EZZ0162I HOST NAME FOR TCPIP IS hmsystk2 Dave Jousma Vice President | Director, Technology Engineering From: IBM Mainframe Discussion List <[email protected]> on behalf of Phil Smith III <[email protected]> Date: Monday, April 14, 2025 at 2:17 PM To: [email protected] <[email protected]> Subject: Re: GSK question Thanks. This might be the answer, though I may not be able to tell. -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Jousma, David Sent: Monday, April 14, 2025 2:11 PM To: [email protected] Subject: Re: GSK question AFAIK, there is no shutting off SYSTEM SSL. Years ago, and a few generations of Crypto adapters ago, we IPL’d before Crypto adapters were fully initialized (there is a time factor when installing MCL’s), and System SSL was “broken” from a TCPIP perspective. The fix was to recycle TCPIP, we elected to IPL, because the cycle of TCPIP was just about as invasive. This caused us all kinds of problems and it took a bit to track down that TCPIP came up before crypto was available. I have no idea if this exposure still exists, but to this day, we still wait for crypto adapters to be fully initialized before we IPL anything. Dave Jousma Vice President | Director, Technology Engineering From: IBM Mainframe Discussion List <[email protected]> on behalf of Phil Smith III <[email protected]> Date: Monday, April 14, 2025 at 1:55 PM To: [email protected] <[email protected]> Subject: GSK question Is there a way to turn off GSK (System SSL)? We have a customer who had a problem where our STC suddenly wouldn't start: it would try to connect (to a server off z/OS) and that would fail. Connectivity SEEMED ok otherwise, and of course "nothing has changed". A gsktrace produced nothing. After some back-and-forth, they reIPLed and now it's fine. (Which I 50% wish they hadn't done, so we could get more info; and am 50% glad they did, of course, since it fixed the problem!) All I can think is that GSK was broken somehow. If there was a GSKsomething STC I'd kill that and try, see if I got the same symptoms, but there isn't. Is it just baked into TCP/IP? Any other ideas about something I can kill that would break GSK? I can do anything I want on our system and then reIPL if needed. Thanks for any ideas. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
