IZE0106E Connect failed with "HTTPS hostname wrong" after upgrading to IBM Explorer for z/OS 3.2.0.12
Problem
After upgrading to IBM® Explorer for z/OS® 3.2.0.12 (shipped with CICS Explorer® 5.5.0.10), connections to some secure hosts fail with error message IZE0106E "HTTPS hostname is wrong". This is because IBM Explorer for z/OS is updated to remove a potential security vulnerability.
Symptom
IZE0106E Connect failed with error "HTTPS hostname wrong: should be <hostname.domain.com>" (Your connection name)
Cause
When connecting to a host that uses SSL, IBM Explorer for z/OS verified that the certificate was trusted either through trust chains in the truststore of IBM Explorer for z/OS, or because the certificate had previously been accepted. The hostname associated with the certificate was not checked.
To avoid the possibility of a man-in-the-middle attack where you are redirected to a compromised machine with a trusted certificate, IBM Explorer for z/OS 3.2.0.12 is updated to verify that the hostname to which a certificate is registered or any Subject Alternative Name listed in the certificate matches the hostname in your connection details.
If the hostnames do not match, the connection fails and error message IZE0106E is shown.
Resolving the problem
Recommended: Choose either of the following ways to fix the mismatch between the certificate and connection details:
- In the Explorer Host Connections view, update the hostname of the connection to match that of the certificate
- Regenerate the certificate with the correct hostname in it. You might need the assistance from your system administrator to regenerate the certificate.
- Visit
https://<cmci_host>:<cmci_port>
in a web browser. This is not a valid web page, but your browser accesses the server certificate. - Use the browser interface to view the certificate details. Often this is accessed to the left of the browser address bar.
- Open the Preferences dialog by selecting from the menu.
- Select from the pane.
- Select the Disable SSL hostname verification option.
com.ibm.cics.core.connections.allowOverrideHostnameVerification
to false. System
administrators can set this property within the zosexplorer.ini or
eclipse.ini file in the installation folder. Below the -vmargs
line, add a line
containing:-Dcom.ibm.cics.core.connections.allowOverrideHostnameVerification=false
The option to disable SSL hostname verification inside CICS Explorer will then be disabled.
For FTPS connections, you must also install IBM Explorer for z/OS 3.2.0.13. This release contains an additional fix required for the correct operation of certificate hostname verification of FTPS connections.