none
HIS 2010 - Ignore Server Certificate in TN3270 Connection RRS feed

  • Question

  • Hello, good afternoon.

    I'm building a Session Integrator solutions that will connect with the mainframe using TN3270 connection type.

    The mainframe is currently using a server certificate to securize the connection, but i't not required to provide a certificate.

    The Session Integrator API allows to open a connection without providing a client certificate, but is there a way to ignore the validation of the server certificate? When I try to open a connection, a server certificate exception is thrown because I can't validate the certificate.

    Thanks you.

    Best regards.

    Thursday, October 25, 2012 1:31 PM

Answers

All replies

  • Can you provide details on how you have the Session Integrator connection string configured as well as the specific error that you are getting?

    Thanks...


    Stephen Jackson - MSFT

    Thursday, October 25, 2012 2:07 PM
  • Hello Stephen.

    This is the code that I'm using to establish the connection:

    SessionConnectionDisplay conn = new SessionConnectionDisplay();

    conn.Transport = SessionDisplayTransport.TN3270;

    conn.TN3270Server = "217.73.44.10";

    conn.TN3270Port = 992;

    conn.Security = TNSecurity.Tls1;

    conn.CertificateCheck = TNCertificateCheck.None;

    SessionDisplay m_Handler = new SessionDisplay();

    m_Handler.Connect(conn);

    When I try to open the connection, the following exception is thrown:

    Microsoft.HostIntegration.SNA.Session.SessionException: Server certificate check failed.

    Thank you for your help.

    Best regards.

    Thursday, October 25, 2012 2:14 PM
  • I have tried the same scenario and I do not get the "Server certificate check failed" exception.

    I used the following connection information in my test.

                SessionConnectionDisplay conn = new SessionConnectionDisplay();

                conn.Transport = SessionDisplayTransport.TN3270;

                conn.TN3270Server = "our mainframe";

                conn.TN3270Port = 992;

               conn.Security = TNSecurity.Tls1;

                conn.CertificateCheck = TNCertificateCheck.None;

                SessionDisplay m_Handler = new SessionDisplay();

                m_Handler.Connect(conn);

    If I change TNCertificateCheck.None to TNCertificateCheck.Verified, I get the “Server certificate check failed” as I would expect without having the Cert installed in the local cert store on the HIS Server.

    If you can run the following trace and paste information from the trace file here, I might be able to see something to determine what might be happening.

    - On the HIS Server running Session Integrator, run snatrace.exe.
    - Click the Tracing Global Properties tab.
    - Enable the "Allow HIS Administrators to perform tracing" option.
    - Click Apply.
    - Click the Trace Items tab.
    - Highlight Session Integrator Server and then click Properties.
    - Click "Set All" on the Internal Trace tab.
    - Click OK.
    - Minimize the SNA Trace Utility window.
    - Reproduce the problem.
    - Restore the SNA Trace Utility window and click "Clear All Traces" to turn off the tracing.
    - Go to the C:\Program Files\Microsoft Host Integration Server 2010\traces folder (default trace location for HIS 2010).
    - Double-click the sisint1.atf trace file to open in in the HIS Trace Viewer.
    - Search for the following:

    Look for CERTIFICATE property

    Highlight and copy all of the trace data from the above line to the following, which is what I see when I created the exception:

    Error 0x80090325 returned by InitializeSecurityContext
    SSL Handshake failed - aborting session.
    Return session failure for devno 0
    Close socket

    This trace data may help show me what is happening to cause the error you are seeing.

    Thanks...


    Stephen Jackson - MSFT

    Thursday, October 25, 2012 9:54 PM
  • Hello Stephen.

    I have used your connection information:

    SessionConnectionDisplay conn = new SessionConnectionDisplay();
    conn.Transport = SessionDisplayTransport.TN3270;
    conn.TN3270Server = "217.73.44.10";
    conn.TN3270Port = 992;
    conn.Security = TNSecurity.Tls1;
    conn.CertificateCheck = TNCertificateCheck.None;

    But the error shows again.

    I've captured the trace:

    Look for CERTIFICATE property
    Compare CERTIFICATE with DEVICENAME
    CERTIFICATE < DEVICENAME, giving up
    Property CERTIFICATE not known
    Could not access Certificate property for TCP Session - assume None
    Using Certificate Option Value 0
    Look for IP property
    Compare IP with DEVICENAME
    Compare IP with IP
    Found match at 00000000006171E0
    Returning hr = 0x0
    Using IP address 217.73.44.10
    Look for PORT property
    Compare PORT with DEVICENAME
    Compare PORT with IP
    Compare PORT with MODE
    Compare PORT with PORT
    Found match at 0000000000617220
    Returning hr = 0x0
    Look for DEVICENAME property
    Compare DEVICENAME with DEVICENAME
    Found match at 0000000000617260
    Returning hr = 0x0
    DeviceName is IBM-3278-2
    Model to extract is 2
    Model in correct range
    Added to SESSION_LIST
    Got i/f 000000000037B028 to client
    Client cookie = 0x30303031, Server cookie = 0xf0f0f0f5
    PERF: Now 1 sessions connected
    Leaving Crit sec at 0000000000617020
    Left Crit sec at 0000000000617020
    Returning hr = 0x0
    Entering Crit sec at 0000000000617020
    Entered Crit sec at 0000000000617020
    Client cookie = 0x30303031, Server cookie = 0xf0f0f0f5
    Got access to data at 00000000003F0950
    Allocate buffer with 4 elts
    BEFORE BUFFER Information: Allocated 113, Free 113 Max: 200000
    GPO_GET::Current Item 00000000015E7000 FP 0000000000007090
    AFTER BUFFER Information: 00000000015E7010 Allocated 113, Free 112 Max: 200000
    BEFORE BUFFER Information: Allocated 105, Free 105 Max: 600000
    GPO_GET::Current Item 00000000023A34E0 FP 0000000000DC3618
    GPO_GET::Current Item 00000000023A3618 FP 0000000000DC33A8
    GPO_GET::Current Item 00000000023A33A8 FP 0000000000DC3270
    GPO_GET::Current Item 00000000023A3270 FP 0000000000DC3138
    AFTER BUFFER Information: 00000000023A34F0 Allocated 105, Free 101 Max: 600000
    HEADER: Allocated buffer 00000000015E7010 allocated-elements=4
    ELEMENTS: Allocated buffer 00000000023A34F0
    Allocated SNAPS buffer with 4 etls at 00000000015E7010
    elt 00000000023A34F0 startd = 1, endd = 40
    elt 00000000023A3628 startd = 1, endd = 24
    elt 00000000023A33B8 startd = 13, endd = 268
    elt 00000000023A3280 startd = 13, endd = 252
    Returning buffer 00000000015E7010
    SSCP session, use I value 0
    Open(SSCP) - set opresid
    FMI State -> FMI_OPENING
    Resource Location
    OPEN SSCP for session 617620
    Time = 1351237276
    Process inbound FMI signal immediately
    sess_fail       = 0
    fmi_state       = 0
    tn_state        = 0
    tn_protocol     = 0
    tn_functions    = 0
    tn_nvt_mode     = 0
    lu_type         = 0
    bracket_state   = 0
    outbnd_in_chain = 0
    inbnd_in_chain  = 0
    OPENMSG: opentype = 1, openqual = 1
    Open SSCP Request
    First attempt to connect to server
    Extracting IP address: 217.73.44.10
    IPv4 address is 217.73.44.10
    Port number is 992
    EXIT
    Do attempt to connect to server
    Attempt to connect to server
    Create socket
    Set OOBINLINE socket option
    Call connect() ...
    ... connect() returned -1
    Connect not immediately successful
    Connect in progress
    EXIT
    Connect OK or running
    Connect in progress
    First in List
    Removed 617620 from list
    Added to CONNECT_LIST
    EXIT
    EXIT
    EXIT
    Time = 1351237276
    EXIT
    Leaving Crit sec at 0000000000617020
    Left Crit sec at 0000000000617020
    Returning hr = 0x0
    Socket not connected yet, read again a bit later...
    Select returned with non-zero return code
    Socket for session 617620 connect complete
    First in List
    Removed 617620 from list
    Added to SESSION_LIST
    Changed lists
    Connect completed
    ClientIOCompletion, extracting parameters:
    Entering Crit sec at 0000000000617020
    Entered Crit sec at 0000000000617020
    Transport is 617620
    dwFlag must be a message - processing and resetting message.Outstanding
    Connect Completed
    Time = 1351237277
    Connecting to server
    Attempt to connect succeeded. Start Security Negotiation.
    Sending Client Hello
    95 bytes of handshake data sent
    EXIT
    Leaving Crit sec at 0000000000617020
    Left Crit sec at 0000000000617020
    Get next Completion
    Call GetQueuedCompletionStatus
    ClientIOCompletion, extracting parameters:
    Entering Crit sec at 0000000000617020
    Entered Crit sec at 0000000000617020
    Transport is 617620
    Completion Key is WRITE
    Time = 1351237277
    WSARecv retcode -1, error 997
    WSARecv called
    EXIT
    Leaving Crit sec at 0000000000617020
    Left Crit sec at 0000000000617020
    Get next Completion
    Call GetQueuedCompletionStatus
    ClientIOCompletion, extracting parameters:
    Entering Crit sec at 0000000000617020
    Entered Crit sec at 0000000000617020
    Transport is 617620
    Completion Key is READ - update receive buffer
    bytes received 4080
    Time = 1351237277
    4080 total bytes of handshake data received
    Error 0x80090318 returned by InitializeSecurityContext
    SSL Handshake failed - aborting session.
    Return session failure for devno 0
    Close socket
    EXIT

    Thank you very much.

    Regards

    Friday, October 26, 2012 8:22 AM
  • In looking at the trace data, you are getting error 0x80090318, which is SEC_E_INCOMPLETE_MESSAGE. This error indicates that the entire message has not been read. It appears that we handle this scenario and are supposed to go back and issue another read to read the rest of the data, but that appears like it isn't happening in your case.

    You indicated that you are using HIS 2010, but have you applied any updates, such as any of the five cumulative updates that we have released?

    It doesn't appear that we have released any fixes for Session Integrator related to SSL, but I'd like to know the exact version you are running. Can you get the file version for siserver.exe on your system?

    Thanks...


    Stephen Jackson - MSFT

    Monday, October 29, 2012 9:41 PM
  • Hello Stephen.

    I believe I have installed the latest Cumulative update for HIS 2010 (CU5).

    The file version of the SIServer.exe file is: 8.5.4600.2

    I've checked the connectivity with the mainframe with an external product (QWS3270) and it works correctly setting the IP and port, so I don't know what I'm doing bad with the Session Integrator API.

    Thanks.

    Monday, October 29, 2012 10:24 PM
  • I don't believe that you are doing anything wrong. I tried the same thing and it works for me. The difference that I see is that your mainframe is sending 4080 bytes of handshake data whereas in my case, our mainframe is only sending 1586 bytes at the same point in the process.

    I'm not sure if this is the problem or not.

    You might want to open a support case so that we can get a look at a matching set of Session Integrator and network traces. The network trace will show us the TN3270 data that is being sent between the two systems.

    This configuration should be working.

    Thanks...


    Stephen Jackson - MSFT

    Tuesday, October 30, 2012 1:39 PM
  • Hello Stephen.

    We are following your recomentations and a support case to Microsoft Spain is open for this issue.

    Thank you very much for your help.

    Regards.

    Wednesday, October 31, 2012 12:03 PM
  • We will be on the lookout for the support case.

    Thanks...


    Stephen Jackson - MSFT

    Wednesday, October 31, 2012 4:05 PM
  • Just to update anyone interested in this issue, we found and fixed a HIS 2010 bug that caused the problem described here. The problem occurred when the certificate was large enough (4080 bytes in this case) to come across the network in multiple network packets that required multiple TCP/IP reads. Session Integrator was not correctly handling this scenario and failed to read all of the data for the certificate.

    A fix has been released and will be included in the next HIS 2010 cumulative update.


    Stephen Jackson - MSFT

    Friday, November 16, 2012 9:35 PM
  • stephen,

    Hwy i do have question regarding this HIS updates..that get released periodically..

    How do we know whether there is any new cumulative updates available or not?? or ..how many cumulative..has been updated so far,...??

    Are there any alert message that we can set for that to receive??  or 

    corporate infrastructure have to keep in touch with HSI forums for that??  or

    Updates will come with regular patching cycle every month???

    Thanks,

    Nick

    Sunday, November 18, 2012 1:54 AM
  • I try to make sure that I announce the availability of HIS cumulative updates on my blog at http://blogs.msdn.com/b/sjackson/ as well as on the HIS MSDN Dev Center page at http://msdn.microsoft.com/en-us/biztalk/hh441721.

    HIS 2009 and 2010 CUs are usually released every 3 - 4 months. HIS 2010 CU5 was released at the end of August and HIS 2010 CU6 should be released within the next 1 - 2 weeks.

    Thanks...


    Stephen Jackson - MSFT

    Monday, November 19, 2012 3:51 PM