IZE0106E Connect failed with "HTTPS hostname wrong" after upgrading to IBM Explorer for z/OS 3.2.0.12

Problem

After upgrading to IBM® Explorer for z/OS® 3.2.0.12 (shipped with CICS Explorer® 5.5.0.10), connections to some secure hosts fail with error message IZE0106E "HTTPS hostname is wrong". This is because IBM Explorer for z/OS is updated to remove a potential security vulnerability.

Symptom

Secure connections to CMCI, CICS®, FTP, z/OSMF, or other encrypted hosts fail with this error message:
IZE0106E Connect failed with error "HTTPS hostname wrong: should be <hostname.domain.com>" (Your connection name)

Cause

When connecting to a host that uses SSL, IBM Explorer for z/OS verified that the certificate was trusted either through trust chains in the truststore of IBM Explorer for z/OS, or because the certificate had previously been accepted. The hostname associated with the certificate was not checked.

To avoid the possibility of a man-in-the-middle attack where you are redirected to a compromised machine with a trusted certificate, IBM Explorer for z/OS 3.2.0.12 is updated to verify that the hostname to which a certificate is registered or any Subject Alternative Name listed in the certificate matches the hostname in your connection details.

If the hostnames do not match, the connection fails and error message IZE0106E is shown.

Resolving the problem

Recommended: Choose either of the following ways to fix the mismatch between the certificate and connection details:

  • In the Explorer Host Connections view, update the hostname of the connection to match that of the certificate
  • Regenerate the certificate with the correct hostname in it. You might need the assistance from your system administrator to regenerate the certificate.
The specified hostname in your connection details must exactly match the Common Name (CN) specified in the certificate, or any Subject Alternative Names (SAN) listed. To find the Common Name (CN), take the following steps:
  1. Visit https://<cmci_host>:<cmci_port> in a web browser. This is not a valid web page, but your browser accesses the server certificate.
  2. Use the browser interface to view the certificate details. Often this is accessed to the left of the browser address bar.
Alternatively, you can remove the security check by disabling the hostname verification as follows. But make sure you understand the consequences when doing so.
  1. Open the Preferences dialog by selecting Window > Preferences from the menu.
  2. Select Explorer > Certificate Management from the pane.
  3. Select the Disable SSL hostname verification option.
System administrator can prevent users from disabling this option by setting the system property com.ibm.cics.core.connections.allowOverrideHostnameVerification to false. System administrators can set this property within the zosexplorer.ini or eclipse.ini file in the installation folder. Below the -vmargs line, add a line containing:
-Dcom.ibm.cics.core.connections.allowOverrideHostnameVerification=false

The option to disable SSL hostname verification inside CICS Explorer will then be disabled.

For FTPS connections, you must also install IBM Explorer for z/OS 3.2.0.13. This release contains an additional fix required for the correct operation of certificate hostname verification of FTPS connections.