Hi Benny,

i have no skill in running JAVA clients on z/OS, sorry!
But i hope this might still be helpful.

1. Your java client uses JSSE for SSL handshake, so you need to know
where the JAVA-Truststore on z/OS exists, and if so whether the public certificate
from the mysqlserver was imported in that truststore.

Do you use anonymous TLS authentication or mutual TLS authentication?

In windows, i assume, you have created a truststore yourself by using java keytool?

On z/OS certificates are stored in SAF keyring.
So in principal your truststore and keystore may reside in the same SAF keyring or in different.

The z/OS JAVA keystore type might not be jks but instead jceracfks or some others.

So maintaining java truststores and keystores in z/OS is completely different.

Can you contact your saf/racf system admin in assistance?
    - which keyring is configured and where to find the imported certificates
    - which the owner of the keyring is
    - whether your running user is SAF-authorized to access this keyring

2. Can you see in the JSSE-SSL-handshake-trace whether your client could successfully locate your
     local truststore, in order to validate the mysql-server certificate?

     Which TLS1.2 SSL_CIPHER_SPEC does the server demand for handshake?

3. Do you use z/OS AT-TLS or System SSL for handshake?
     For AT-TLS check SMF Type 119(2) records for additional SSL-Handshake debug information

4. If you use z/OS System SSL, you have to know how the SSL server started task
     GSKSRVR is configured and which TLS cipher specifications it supports.

5. you can also configure and activate zERT on your local z/OS system
     (z/OS Encryption Readiness Technology).
     This traces every TLS encrypted local network traffic on z/OS, including System SSL, openSSH, AT-TLS, JSSE.

      https://community.ibm.com/community/user/ibmz-and-linuxone/blogs/destination-z1/2019/12/23/monitoring-your-zos-network-traffic

      If activated, look at SMF Type119(11) and Type119(12)

------------------------------
Magnus
------------------------------

Original Message:
Sent: Mon October 04, 2021 01:15 PM
From: Benny Ormson
Subject: Connecting to MySql from JAVA on z/OS

Does anyone here have experience connecting to a cloud based MySql 8.0 server from JAVA on z/OS?

I am getting an error saying it cannot find a TLS 1.2 cipher suite. I know it exists because we have a WebSocket implementation using TLS 1.2 and it works fine. MySql 8.0 has a known issue for this exact problem and a work around by setting a MySql environment variable: sqlprop.setProperty("enabledTLSProtocols","TLSv1.2"); This has apparently resolved the problem for others but has not for me.

The code works perfectly fine from a Windows desktop with and without enabledTLSProtocols set. It only fails from z/OS.

The actual log messages from the debug trace are below. If you have any experience on how to resolve this I would appreciate it.

javax.net.ssl|FINE|01|main|2021-10-03 16:46:09.109 CDT|Thread.java:1164|No available cipher suite for TLS12

javax.net.ssl|SEVERE|01|main|2021-10-03 16:46:09.121 CDT|Thread.java:1164|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking

javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

Thanks,
Benny

Thanks Magnus! This is all good information and I appreciate the effort to put it together. I am working through it.

------------------------------
Benny Ormson
------------------------------

Original Message:
Sent: Tue October 05, 2021 05:29 AM
From: Magnus
Subject: Connecting to MySql from JAVA on z/OS

Hi Benny,

i have no skill in running JAVA clients on z/OS, sorry!
But i hope this might still be helpful.

1. Your java client uses JSSE for SSL handshake, so you need to know
where the JAVA-Truststore on z/OS exists, and if so whether the public certificate
from the mysqlserver was imported in that truststore.

Do you use anonymous TLS authentication or mutual TLS authentication?

In windows, i assume, you have created a truststore yourself by using java keytool?

On z/OS certificates are stored in SAF keyring.
So in principal your truststore and keystore may reside in the same SAF keyring or in different.

The z/OS JAVA keystore type might not be jks but instead jceracfks or some others.

So maintaining java truststores and keystores in z/OS is completely different.

Can you contact your saf/racf system admin in assistance?
    - which keyring is configured and where to find the imported certificates
    - which the owner of the keyring is
    - whether your running user is SAF-authorized to access this keyring

2. Can you see in the JSSE-SSL-handshake-trace whether your client could successfully locate your
     local truststore, in order to validate the mysql-server certificate?

     Which TLS1.2 SSL_CIPHER_SPEC does the server demand for handshake?

3. Do you use z/OS AT-TLS or System SSL for handshake?
     For AT-TLS check SMF Type 119(2) records for additional SSL-Handshake debug information

4. If you use z/OS System SSL, you have to know how the SSL server started task
     GSKSRVR is configured and which TLS cipher specifications it supports.

5. you can also configure and activate zERT on your local z/OS system
     (z/OS Encryption Readiness Technology).
     This traces every TLS encrypted local network traffic on z/OS, including System SSL, openSSH, AT-TLS, JSSE.

      https://community.ibm.com/community/user/ibmz-and-linuxone/blogs/destination-z1/2019/12/23/monitoring-your-zos-network-traffic

      If activated, look at SMF Type119(11) and Type119(12)

------------------------------
Magnus

Original Message:
Sent: Mon October 04, 2021 01:15 PM
From: Benny Ormson
Subject: Connecting to MySql from JAVA on z/OS

Does anyone here have experience connecting to a cloud based MySql 8.0 server from JAVA on z/OS?

I am getting an error saying it cannot find a TLS 1.2 cipher suite. I know it exists because we have a WebSocket implementation using TLS 1.2 and it works fine. MySql 8.0 has a known issue for this exact problem and a work around by setting a MySql environment variable: sqlprop.setProperty("enabledTLSProtocols","TLSv1.2"); This has apparently resolved the problem for others but has not for me.

The code works perfectly fine from a Windows desktop with and without enabledTLSProtocols set. It only fails from z/OS.

The actual log messages from the debug trace are below. If you have any experience on how to resolve this I would appreciate it.

javax.net.ssl|FINE|01|main|2021-10-03 16:46:09.109 CDT|Thread.java:1164|No available cipher suite for TLS12

javax.net.ssl|SEVERE|01|main|2021-10-03 16:46:09.121 CDT|Thread.java:1164|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking

javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

Thanks,
Benny