The Problem

Some users reported that their JES2EDS function stopped working after upgrading to Java8 SR6 FP30. This is because JES2EDS was using TLS1.0 protocol to communicate with z/OSMF. After upgrading Java8 SR6 FP30, TLS1.0 was disabled by default for security reasons. You can reference the IBM Java announcement here for this change
https://www.ibm.com/docs/en/sdk-java-technology/8?topic=wn-service-refresh-6#security_whatsnew_sr6__fp30
Websphere Liberty also releases a technote on this change
https://www.ibm.com/support/pages/node/6462659
This article will guide you through 2 different ways to fix or to workaround the problem.

Precheck

If you are not seeing any connection issues after upgrading Java8 SR6 FP30, no action is needed.
If your JES2EDS fails to connect to z/OSMF after Java upgrade. You can check the following symptoms in your system.

• In SYSLOG, “HASP1529 106 0420 Socket closed by remote partner” is reported by JES2. Following another message “$HASP1523 Unable to connect to z/OSMF server.”

• In z/OSMF Started Task JOBLOG(By default, IZUSVR1), locate the CWWKO0801E error.

Recommended Fix

It’s recommended to use TLS 1.2 instead of TLS 1.0 in SystemSSL for system default. To enable TLS 1.2 by default, do the following.

• 1. Create a parmlib member, for example, CEEPRMAT, edit and add an environment variable of GSK_PROTOCOL_TLSV1_2=ON into CEEDOPT as the below example shows.
• 2. Issue SET CEE=AT

File Edit Edit_Settings Menu Utilities Compilers Test Help ------------------------------------------------------------------------------ EDIT CIMSSRE.R25ONLY.PARMLIB(CEEPRMAT) - 01.00 Columns 00001 00072 ****** ***************************** Top of Data ****************************** ==MSG> -Warning- The UNDO command is not available until you change ==MSG> your edit profile using the command RECOVERY ON. 000001 CEEDOPT(ENVAR("GSK_PROTOCOL_TLSV1_2=ON") ) ****** **************************** Bottom of Data ****************************

Alternative Fix

Enabling TLS 1.2 for system default may affect other zOS components, though it’s more secure. For any reason if you don’t want to move to TLS 1.2, you can re-enable TLS 1.0 for z/OSMF by doing the following.

Disclaimer:
Restore TLS1.0 and TLS1.1 may put your z/OSMF server in security risk, you may take your own risk by doing so.

In order to make JES2 EDS work normally, you need to enable TLSv1 back, following steps are one way to enable it.

Steps to re-enable TLS 1.0

• 2. Locate the line for the keyword jdk.tls.disabledAlgorithms property, copy the whole line for later use

• 3. Locate the file at z/OSMF ${ROOT} /defaults/servers/zosmfServer/jvm.security.override.properties, by default, the ROOT dir is /usr/lpp/zosmf. Make a copy of the file. The copy can be placed at any location. Here we use /etc/zosmf/jvm.security.override.properties for instance.
• 4. Edit the copy file at /etc/zosmf/jvm.security.override.properties. Add in a new line in the file, paste the jdk.tls.disabledAlgorithms property and remove the TLSv1, TLSv1.1 keywords, so that z/OSMF be able to use these disabledAlgorithms in Java8 SR6 FP30.

• 5. Create a z/OSMF override file to make z/OSMF pick up the jvm.security.override.properties you just created. Here are the steps
  • a. Locate the override file at ${USERDIR}/configuration/local_override.cfg. By default, the USERDIR is /global/zosmf/. If there isn’t a local_override.cfg file, you can create a new empty file.
  • b. Make sure z/OSMF server ID have read access to the file.
  • c. Edit the local_override.cfg file and add a line of

• • d. Save and close the file

• 6. Restart your z/OSMF. JES2EDS should be able to communicate with z/OSMF using TLS1.0.

Disclaimer:
All the recommended solutions described above are provided for your reference only and they are not guaranteed by IBM to solve your problems.