After configuring TLS for SAS 9.4 Maintenance 8 or 9—SAS® 9.4M8 (TS1M8) or SAS 9.4M9—on IBM z/OS, SAS components (such as SAS/CONNECT® or SAS/SHARE®) or the SAS Object Spawner might fail to start or accept connections.
This issue occurs when you configure the system to use TLS 1.3 with IBM System SSL. Although TLS 1.3 is documented as available starting with SAS 9.4 M8 and SAS 9.4M9, it does not function reliably for all z/OS deployments. In particular, TLS 1.3 can fail when SAS connects to servers that use TLS session tickets, which are commonly enabled in many environments.
As a result, TLS‑enabled SAS servers on z/OS might fail during start-up or during client connection attempts when TLS 1.3 is negotiated.
This issue might occur if all of the following are true:
In customer testing and internal analysis, switching the environment to use TLS 1.2 resolves these failures.
TLS 1.3 on z/OS is subject to IBM System SSL behavior with TLS session tickets. When a server sends session tickets, SAS TLS connections over TLS 1.3 might fail. This issue is a known limitation and affects SAS TLS communications that rely on IBM System SSL under these conditions.
Because of this limitation, TLS 1.3 is not considered generally supported or reliable for SAS 9.4M8 or SAS9.4M9 on z/OS except in constrained scenarios. (For example, z/OS‑to‑z/OS connections where session tickets are not used.)
To work around this issue, SAS recommends forcing the use of TLS 1.2 on z/OS by explicitly disabling TLS 1.3 in IBM System SSL using environment variables.
Set the following variables in the environment used to start SAS. (For example, in //TKMVSENV, TKMVSENV_USRMODS, or the controlling JCL.)
GSK_PROTOCOL_TLSV1_3=GSK_PROTOCOL_TLSV1_3_OFF
GSK_PROTOCOL_TLSV1_2=GSK_PROTOCOL_TLSV1_2_ON
These settings instruct IBM System SSL to do the following:
After applying these variables, restart the affected SAS servers.
After you apply the workaround, the following should occur: