Frequently asked questions (FAQs)

This section provides answers to frequently asked questions about problems that you might encounter when using CICS Explorer®.

IZE0106E Connect failed with "HTTPS hostname wrong" after upgrading to IBM Explorer for z/OS 3.2.0.12

Problem
After upgrading to IBM® Explorer for z/OS® 3.2.0.12 (shipped with CICS Explorer 5.5.0.10), connections to some secure hosts fail with error message IZE0106E "HTTPS hostname is wrong". This is because IBM Explorer for z/OS is updated to remove a potential security vulnerability.
Symptom
Secure connections to CMCI, CICS®, FTP, z/OSMF, or other encrypted hosts fail with this error message:
IZE0106E Connect failed with error "HTTPS hostname wrong: should be <hostname.domain.com>" (Your connection name)
Cause
When connecting to a host that uses SSL, IBM Explorer for z/OS verified that the certificate was trusted either through trust chains in the truststore of IBM Explorer for z/OS, or because the certificate had previously been accepted. The hostname associated with the certificate was not checked.

To avoid the possibility of a man-in-the-middle attack where you are redirected to a compromised machine with a trusted certificate, IBM Explorer for z/OS 3.2.0.12 is updated to verify that the hostname to which a certificate is registered or any Subject Alternative Name listed in the certificate matches the hostname in your connection details.

If the hostnames do not match, the connection fails and error message IZE0106E is shown.

Resolving The Problem

Recommended: Choose either of the following ways to fix the mismatch between the certificate and connection details:

  • In the Explorer Host Connections view, update the hostname of the connection to match that of the certificate
  • Regenerate the certificate with the correct hostname in it. You might need the assistance from your system administrator to regenerate the certificate.

The specified hostname in your connection details must exactly match the Common Name (CN) specified in the certificate, or any Subject Alternative Names (SAN) listed.

Alternatively, you can remove the security check by disabling the hostname verification as follows. But make sure you understand the consequences when doing so.
  1. Open the Preferences dialog by selecting Window > Preferences from the menu.
  2. Select Explorer > Certificate Management from the pane.
  3. Select the Disable SSL hostname verification option.
System administrator can prevent users from disabling this option by setting the system property com.ibm.cics.core.connections.allowOverrideHostnameVerification to false. System administrators can set this property within the zosexplorer.ini or eclipse.ini file in the installation folder. Below the -vmargs line, add a line containing:
-Dcom.ibm.cics.core.connections.allowOverrideHostnameVerification=false

The option to disable SSL hostname verification inside Explorer will then be disabled.

For FTPS connections, you must also install IBM Explorer for z/OS 3.2.0.13. This release contains an additional fix required for the correct operation of certificate hostname verification of FTPS connections.

When selecting a target platform of CICS TS, I get a warning: You have selected a target with a newer version than your current Eclipse installation.

Problem
When I select a Target Platform of CICS TS 5.5 or higher, I get the following warning message in CICS Explorer:
You have selected a target with a newer version than your current Eclipse installation.  
This can cause unexpected behavior in PDE.  Please use a newer version of Eclipse.
Symptom

This symptom occurs to CICS Explorer on Aqua 3.2 when users select a Target Platform of CICS TS 5.5 or higher.

Cause

CICS Explorer on Aqua 3.2 displays this warning message because the version of org.eclipse.osgi supplied with the CICS TS target platform is newer than the version supplied with the Eclipse base of CICS Explorer on Aqua 3.2.

CICS Explorer on Aqua 3.3 does not have the same problem.

Resolving the Problem
No unexpected behavior has been found with this warning message. You can ignore it.