BMC AMI Datastream for z/OS – CZA0831I Unsecured connection messages

Knowledge Article

Article Number

000417980

Old Article Number

Article Type

FAQ/Procedural

Title

BMC AMI Datastream for z/OS – CZA0831I Unsecured connection messages

Summary

This Knowledge Article will discuss CZA0831I Unsecured connection messages being generated when a standard TLS connection is established.

Product

BMC AMI Datastream for z/OS

Component

BMC AMI Datastream for z/OS

Applies to

v7.1 and later maintenance levels

Question

CZA0831I Unsecured connection messages are being generated even though a standard TLS connection is established. What do they mean?

Answer

Here is an example of a CZA0831I message:

CZA0831I Unsecured connection established to
MYSIEM.SERVER.COM:8888

The CZA0831I message is documented as:

CZA0831I Unsecured connection established to hostname
Explanation: An unsecured connection was established.
User response: No action is required.

IBM's 'strategic direction' is to utilize AT-TLS. IBM’s AT-TLS (Application Transparent Transport Layer Security) creates a secure session in z/OS on behalf of an application. Instead of implementing TLS in every application that requires a secure connection, AT-TLS provides encryption and decryption of data based on policy statements that are coded in a z/OS Policy Agent. The application sends and receives cleartext (unencrypted data) as usual, while AT-TLS encrypts and decrypts data at the TCP transport layer.

The BMC AMI Datastream for z/OS product supports both AT-TLS and “standard” TLS, with parameters specified as shown in the following SERVER statement:

SERVER MYSIEM.SERVER.COM:8888 TRANS(TLS) +
TLS(KEYR(MYRACF_KEYRING) LABEL('MYRACF_CERT_LABEL')) +
MAXMSG(2000)

In following IBM's strategic direction, BMC added the CZA0831I message to the BMC AMI Datastream for z/OS product when support was added for AT-TLS. Unfortunately, the message is very misleading when a 'standard' TLS connection is being utilized. The product checks an internal 'TTLS_CONN_SECURE' flag, which ONLY applies to AT-TLS. If a customer defines a standard TLS connection, and the connection is successfully established at startup, then the connection is indeed secure. The CZA0831I message indicates that the connection is not AT-TLS secured.

Therefore, for standard TLS connections, the CZA0831I message may be safely ignored. Also, due to its potential to confuse users, the CZA0831I message is expected to be removed in a future maintenance release.

If you have any questions or continuing issues after reviewing the content of this article, please open a case with BMC Support.

Attachment(s):