PI06257: DFHAM4955E INSTALL OF URIMAP FAILED BECAUSE USER DOES NOT HAVE AUTHORITY TO ACCESS THE SPECIFIED CERTIFICATE.

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• Once you migrate to CICS TS 5.1 your URIMAP used for
  EXEC CICS WEB client API calls no longer installs successfully.
   You receive message DFHAM4955 E Install of URIMAP failed
  because user does not have authority to access the specified
  certificate.
  .
  WB 0900 WBUR  ENTRY - FUNCTION(ADD_REPLACE_URIMAP)
  XS 0B01 XSCT  ENTRY - FUNCTION(INQUIRE_CERTIFICATE)
  XS FE01 XSSE  ENTRY - FUNCTION(VALIDATE_CERTIFICATE_LABEL)
  XS FE04 XSSE  *EXC* - FUNCTION(VALIDATE_CERTIFICATE_LABEL)
                          RESPONSE(EXCEPTION) REASON(NOTAUTH)
                          SAF_RESPONSE(8) SAF_REASON(0)
                          ESM_RESPONSE(10) ESM_REASON(8)
  XS 0B02 XSCT  EXIT -  FUNCTION(INQUIRE_CERTIFICATE) RESPONSE(OK)
                    SAF_RESPONSE(8) ESM_RESPONSE(10) ESM_REASON(4)
                        USAGE() STATUS(UNREGISTERED)
  
  
  NOTE: This APAR also applies to any resource that has a
  CERTIFICATE attribute, such as a TCPIPService, CORBAServer or
  IPCONN
  .
  Additional Symptom(s) Search Keyword(s): KIXREVxxx
  

Local fix

• A workaround for (non SITE certificates) is to give the region
  userid READ access to to IRR.DIGTCERT.LIST.
  In the case where the certificate in question is a SITE
  certificate, the region userid will need to have CONTROL
  authority to profile IRR.DIGTCERT.GENCERT in CLASS FACILITY.
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: All CICS Users.                              *
  ****************************************************************
  * PROBLEM DESCRIPTION: Install of URIMAP incorrectly fails     *
  *                      with message DFHAM4955 ('Install of     *
  *                      URIMAP failed because user does not     *
  *                      have authority to access the specified  *
  *                      certificate.')                          *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  A URIMAP is installed specifying a certificate. DFHAMWB calls
  DFHWBUR for ADD_REPLACE_URIMAP and this in turn calls DFHXSCT
  for INQUIRE_CERTIFICATE to verify the certificate.
  DFHXSCT calls DFHXSSE for VALIDATE_CERTIFICATE_LABEL but
  this fails with a NOTAUTH because the user does not have
  access to IRR.DIGTCERT.LIST. The NOTAUTH reason code is
  passed back to DFHAMWB and results in the reported msgDFHAM4955.
  However the call to validate the certificate label is done only
  to help refine the error reporting if the subsequent call
  to RACF to obtain the certificate and private key should fail
  and is no indication as to whether the certificate is valid
  or not.
  In this case the certificate is valid and the subsequent
  call to RACF (IRRSDL00) would have returned the required
  certificate and private key.
  Code added for FIN apar PM61957 incorrectly assumes that
  an error return by DFHXSSE for VALIDATE_CERTIFICATE_LABEL
  always means that the certificate is invalid.
  

Problem conclusion

• DFHXSCT has been changed to tolerate an error response from
  a call to DFHXSSE for VALIDATE_CERTIFICATE_LABEL.
  The explanation for message DFHAM4928 in the
  CICS Transaction Server for z/OS Version 5 Release 1
  CICS Messages and Codes Vol 1 manual GC34-2861-00
  will be updated as follows:
  The explanatory insert 'does not have a private key' will
  be altered to say:
  
  The specified certificate does not have a private key.
  SSL with client authentication is only possible if you
  have a private key associated with the certificate. This
  error may occur if the user does not have access to the private
  key due to a lack of authority to access IRR.DIGTCERT.GENCERT.
  
  The user response will be updated to say:
  
  Replace the certificate in the keyring with one that is usable,
  or specify a different certificate.
  For a message insert of 'does not have a private key' check
  the system log for RACF messages that indicate a lack of
  authority to access IRR.DIGTCERT.GENCERT.
  

Temporary fix

• FIX AVAILABLE BY PTF ONLY
  

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UI16182

Modules/Macros

• DFHMEAME DFHXSCT
  

Fix information

• Fixed component name

  CICS TS Z/OS V5

• Fixed component ID

  5655Y0400

Applicable component levels

• R800 PSY UI16182

     UP14/03/27 P F403

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.