Managing SSL security and certificates for connections between CICS Explorer® and CICS® systems.
Connections between CICS Explorer and CICS systems are secured using the SSL protocol. By default, certificate management is enabled for CICS Explorer.
In Explorer:
IZE0106E Connect failed with error "javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure (SYSA CMCI SECURE)"
In the job log:
DFHSO0123 09/19/2012 10:13:22 IYCYZC2K Return code 402 received from function 'gsk_secure_socket_init' of System SSL.
Reason: No common ciphers negotiated.
Peer: 9.20.210.250, TCPIPSERVICE: XFHWUTCP.
You can use the Security and certificate management dialog to turn SSL on or off, and to define key stores for your certificates.
You can use the Security and certificate management dialog to define a key store and a trust store. A key store is an encrypted file that contains the certificate your system presents to another system to describe itself. A trust store is a type of key store that contains the SSL certificates that are used to control connection authentication to servers. The trust store can be held in a central location. The dialog also contains some optional parameters that provide explicit control of some of the protocols used during connection negotiation. Ask your network administrator for information about the key stores in your organization.
CICS Explorer provides a default key store in the user's workspace which can serve as both a trust store and key store. The default pass phrase for the trust store is changeit
For more information, see Managing SSL security and certificates
The Add CICS Management Interface Connection dialog contains a check box to select SSL security for the connection.
When you make a connection, CICS Explorer checks that the SSL settings are the same. If, for example, you do not select the Secure connection (SSL) check box and the server expects SSL, the connection will fail. On the first attempt to make this connection, CICS Explorer will display a message indicating the mismatch and giving you an opportunity to retry the connection with SSL enabled.
The Ambiguity dialog is only shown for existing/old connections where the SSL setting was not confirmed by a previous version of CICS Explorer such as an Explorer upgrade or an import (not load).
If you connect to a server for the first time, CICS Explorer will prompt you to accept the certificate if it does not exist in the key stores.
Read the information in the certificate carefully and satisfy yourself that this connection is to the server you expect and that the connection is valid. If you click OK, the certificate will be accepted and stored in the key store. It will then be used on every subsequent attempt to connect with this server. You will not be prompted again to check the certificate.
You can manage the certificates in your key store with the IBM Key Management Tool (ikeyman). This tool is supplied as part of IBM Java.