Managing SSL security and certificates for connections between CICS Explorer® and CICS® systems.
Connections between CICS Explorer and CICS systems are secured by using the SSL protocol. By default, certificate management is enabled for CICS Explorer.
In Explorer:
IZE0106E Connect failed with error "javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure (SYSA CMCI SECURE)"In the job log:
DFHSO0123 09/19/2012 10:13:22 IYCYZC2K Return code 402 received from function 'gsk_secure_socket_init' of System SSL. Reason: No common ciphers negotiated. Peer: 9.20.210.250, TCPIPSERVICE: XFHWUTCP.You can use the Security and certificate management dialog to turn SSL on or off, and to define keystores for your certificates.
You can use the Security and certificate management window to define a keystore and a truststore. A keystore is an encrypted file that contains the certificate that your system presents to another system to describe itself. A truststore is a type of keystore that contains the SSL certificates that are used to control connection authentication to servers. The truststore can be held in a central location. The dialog also contains some optional parameters that provide explicit control of some of the protocols that are used during connection negotiation. Ask your network administrator for information about the keystores in your organization.
CICS Explorer provides a default keystore in the user's workspace that can serve as both a truststore and keystore. The default pass phrase for the truststore is changeit
For more information, see Managing SSL security and certificates
The Add CICS Management Interface Connection dialog contains a check box to select SSL security for the connection.
When you make a connection, CICS Explorer checks that the SSL settings are the same. If, for example, you do not select the Secure connection (SSL) check box and the server expects SSL, the connection fails. On the first attempt to make this connection, CICS Explorer shows a message that indicates the mismatch and giving you an opportunity to try the connection with SSL enabled.
The Ambiguity dialog is only shown for existing/old connections where the SSL setting was not confirmed by a previous version of CICS Explorer such as an Explorer upgrade or an import (not load).
If you connect to a server for the first time, CICS Explorer prompts you to accept the certificate if it does not exist in the keystores.
Read the information in the certificate carefully and satisfy yourself that this connection is to the server you expect and that the connection is valid. If you click OK, the certificate is accepted and stored in the keystore. It is then used on every subsequent attempt to connect with this server. You are not prompted again to check the certificate.
You can manage the certificates in your keystore with the iKeyman utility. This utility is supplied as part of the IBM Java Security Socket Extension package.