CA Mainframe Software Manager r3 - Error: An error occurred trying to connect to Support Online.

Document ID : KB000051015
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Under certain environments it is possible to experience the following problem in the CA Mainframe Software Manager UI when attempting an action from the Software Catalog that tries to access CA Support Online (CA SO).

 
 Error: An error occured trying to connect to CA Support Online.
 java.net.SocketException: java.security.NoSuchAlgorithmException: SSLContext
 Default implementation not found:

When viewing the CA Mainframe Software Manager tomcat log you will see a message like:

DEBUG .....  (ConsumeSC.java:106): IO Error was detected during PAS processing. ... 
java.security. NoSuchAlgorithmException: SSLContext Default implementation not found:

Solution:

This error is related to the java runtime security for SSL connections.

In the CA Mainframe Software Manager runtime data set SAMPLIB(MSMLIB), note the USS path specified for "export JAVA_HOME=".
Using this as the parent directory, locate the lib/security subdiretory in USS. There is a java.security file with a section header "List of providers and their preference orders (see above).". This section should closely resemble these entries:

 
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.security.sasl.IBMSASL
security.provider.6=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.7=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.8=org.apache.harmony.security.provider.PolicyProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
 

If you notice an entry that is similar to the following:

security.provider.1=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA
then you may have implemented a hardware ICSF keystore as the default keystore for the java runtime.

If you want to determine if this is the case, edit the MSMLIB member to add an option which dumps keystore information:

-Djavax.net.debug=true
 

After restarting the CA Mainframe Software Manager Tomcat server, look for an output line like:

keyStore type is: jks

"jks" is the default keystore with which CA Mainframe Software Manager will successfully establish http SSL connections.

If you see a keyStore.type=jceccaks, that is indicative of a hardware ICSF keystore and most likely the root cause of the exception logged in CA Mainframe Software Manager.

The jceccaks keystore type may have been implemented with IBM EKM tape encryption.

To change the default keyStore back to "jks", please consult your z/OS system programmer.

Additional references:

 ftp://public.dhe.ibm.com/s390/java/jsse/JSSEzOSRefGuide.html
 http://www-03.ibm.com/systems/z/os/zos/tools/java/faq/javasecurityfaq.html
 http://www.redbooks.ibm.com/redbooks/pdfs/sg247610.pdf