A fix is available
APAR status
Closed as program error.
Error description
A valid certificate has been imported into RACF and added to a keyring. When a URIMAP is installed using that certificate CICS rejects it with message DFHAM4889.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All CICS Users. * **************************************************************** * PROBLEM DESCRIPTION: Message "DFHAM4889 E Install of URIMAP * * xxxxxx failed because CERTIFICATE * * yyyyyy is invalid." incorrectly issued * * by CICS. * **************************************************************** * RECOMMENDATION: * **************************************************************** A URIMAP resource definition has been defined specifying a CERTIFICATE. DFHWBUR processes the URIMAP and calls DFHXSCT for INQUIRE_CERTIFICATE. This validates the certificate with RACF and then searches through it to find the DER encoded distinguished name. Having found the name it then searches within this for the RDN (Relative Distinguished Name) subfields. The subfields are described by a universal tag which defines the type of subfield, followed by a length and then the value. DFHXSCT steps through the RDNs picking out the values that it requires. It is expecting the subfields name to be in the order of SET, SEQUENCE, OID, string value. However this certificate has two SEQUENCE subfields within a SET. This is valid, but DFHXSCT does not expect it and incorrectly rejects the certificate with an EXCEPTION response and a reason code of CERTIFICATE_INVALID. This results in msgDFHAM4889E being issued even though the certificate is valid.
Problem conclusion
DFHXSCT has been altered to loop through the SEQUENCE fields within a SET tag.
Temporary fix
FIX AVAILABLE BY PTF ONLY
Comments
APAR Information
APAR number
PI07102
Reported component name
CICS TS Z/OS V5
Reported component ID
5655Y0400
Reported release
800
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2013-11-28
Closed date
2013-12-17
Last modified date
2015-03-05
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI13700
Modules/Macros
DFHXSCT
Fix information
Fixed component name
CICS TS Z/OS V5
Fixed component ID
5655Y0400
Applicable component levels
R800 PSY UI13700
UP13/12/28 P F312
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.1","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
05 March 2015