A fix is available
APAR status
Closed as program error.
Error description
Once you migrate to CICS TS 5.1 your URIMAP used for EXEC CICS WEB client API calls no longer installs successfully. You receive message DFHAM4955 E Install of URIMAP failed because user does not have authority to access the specified certificate. . WB 0900 WBUR ENTRY - FUNCTION(ADD_REPLACE_URIMAP) XS 0B01 XSCT ENTRY - FUNCTION(INQUIRE_CERTIFICATE) XS FE01 XSSE ENTRY - FUNCTION(VALIDATE_CERTIFICATE_LABEL) XS FE04 XSSE *EXC* - FUNCTION(VALIDATE_CERTIFICATE_LABEL) RESPONSE(EXCEPTION) REASON(NOTAUTH) SAF_RESPONSE(8) SAF_REASON(0) ESM_RESPONSE(10) ESM_REASON(8) XS 0B02 XSCT EXIT - FUNCTION(INQUIRE_CERTIFICATE) RESPONSE(OK) SAF_RESPONSE(8) ESM_RESPONSE(10) ESM_REASON(4) USAGE() STATUS(UNREGISTERED) NOTE: This APAR also applies to any resource that has a CERTIFICATE attribute, such as a TCPIPService, CORBAServer or IPCONN . Additional Symptom(s) Search Keyword(s): KIXREVxxx
Local fix
A workaround for (non SITE certificates) is to give the region userid READ access to to IRR.DIGTCERT.LIST. In the case where the certificate in question is a SITE certificate, the region userid will need to have CONTROL authority to profile IRR.DIGTCERT.GENCERT in CLASS FACILITY.
Problem summary
**************************************************************** * USERS AFFECTED: All CICS Users. * **************************************************************** * PROBLEM DESCRIPTION: Install of URIMAP incorrectly fails * * with message DFHAM4955 ('Install of * * URIMAP failed because user does not * * have authority to access the specified * * certificate.') * **************************************************************** * RECOMMENDATION: * **************************************************************** A URIMAP is installed specifying a certificate. DFHAMWB calls DFHWBUR for ADD_REPLACE_URIMAP and this in turn calls DFHXSCT for INQUIRE_CERTIFICATE to verify the certificate. DFHXSCT calls DFHXSSE for VALIDATE_CERTIFICATE_LABEL but this fails with a NOTAUTH because the user does not have access to IRR.DIGTCERT.LIST. The NOTAUTH reason code is passed back to DFHAMWB and results in the reported msgDFHAM4955. However the call to validate the certificate label is done only to help refine the error reporting if the subsequent call to RACF to obtain the certificate and private key should fail and is no indication as to whether the certificate is valid or not. In this case the certificate is valid and the subsequent call to RACF (IRRSDL00) would have returned the required certificate and private key. Code added for FIN apar PM61957 incorrectly assumes that an error return by DFHXSSE for VALIDATE_CERTIFICATE_LABEL always means that the certificate is invalid.
Problem conclusion
DFHXSCT has been changed to tolerate an error response from a call to DFHXSSE for VALIDATE_CERTIFICATE_LABEL. The explanation for message DFHAM4928 in the CICS Transaction Server for z/OS Version 5 Release 1 CICS Messages and Codes Vol 1 manual GC34-2861-00 will be updated as follows: The explanatory insert 'does not have a private key' will be altered to say: The specified certificate does not have a private key. SSL with client authentication is only possible if you have a private key associated with the certificate. This error may occur if the user does not have access to the private key due to a lack of authority to access IRR.DIGTCERT.GENCERT. The user response will be updated to say: Replace the certificate in the keyring with one that is usable, or specify a different certificate. For a message insert of 'does not have a private key' check the system log for RACF messages that indicate a lack of authority to access IRR.DIGTCERT.GENCERT.
Temporary fix
FIX AVAILABLE BY PTF ONLY
Comments
APAR Information
APAR number
PI06257
Reported component name
CICS TS Z/OS V5
Reported component ID
5655Y0400
Reported release
800
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
YesSpecatt / Pervasive
Submitted date
2013-11-14
Closed date
2014-03-14
Last modified date
2015-10-27
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI16182
Modules/Macros
DFHMEAME DFHXSCT
GC34286100 |
Fix information
Fixed component name
CICS TS Z/OS V5
Fixed component ID
5655Y0400
Applicable component levels
R800 PSY UI16182
UP14/03/27 P F403
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.1","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
27 October 2015