IBM Support

PI12196: MAKING A WEBSERVICE CALL USING MESSAGE ENCRYPTION FAILS WITH A SECURITY SOAP FAULT.

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Developing some application code to show a java application in
WebSphere App Server ( WAS ) V8.5.5 on my Windows PC doing a Web
Service call to CICS on a z/OS LPAR using Message Encryption.
.
Attempting to use the following Method:
.
Method:.  WAS supplies a standard approach called Policy
Sets, where you can create Web Service related policy sets that
specify the certificates etc, and then attach these to the java
application deployed in WAS.
.
The 1st part of the Request looks like so:
.
  <?xml version="1.0"?>
- <soapenv:Envelope
  xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   - <soapenv:Header>
      - <s:Security soapenv:mustUnderstand="1"
.
The following errors appear in the WAS Log.
.
ServletWrappe E com.ibm.ws.webcontainer.servlet.ServletWrapper
service SRVE0068E: An exception was thrown by one of the
service methods of the servlet
[com.ibm.demoWS.CallCicsWebServiceNoSec]
in application [WAS-to-CICS-WebService]. Exception created :
[javax.xml.ws.soap.SOAPFaultException: Header block local name
'Security' is not defined to CICS. Mustunderstand check failed
for the header block.
.
In the CICS Internal Trace you see the following:
.
0201 SOCK  ENTRY - FUNCTION(SEND)
                    BUFFER_LIST(12345678 , 00000002)
.
*HTTP/1.1 500 Internal Server Err*
*or           ..Date: Tue, 11 Feb*
* 2014 03:59:25 GMT..Server: IBM_*
*CICS_Transaction_Server/5.1.0(zO*
*S)..Content-Type: text/xml; char*
*set=UTF-8..Content-Length: 00000*
*0000000636..Connection: Keep-Ali*
*ve....                          *
*<?xml version="1.0" encoding="UT*
*F-8" standalone="no" ?><SOAP-ENV*
*:Envelope xmlns:SOAP-ENV="http:/*
*/schemas.xmlsoap.org/soap/envelo*
*pe/" xmlns:soapenv="http://schem*
*as.xmlsoap.org/soap/envelope/"><*
*SOAP-ENV:Header><SOAP-ENV:NotUnd*
*erstood qname="s:Security" xmlns*
*:s="http://docs.oasis-open.org/w*
*ss/2004/01/oasis-200401-wss-wsse*
*curity-secext-1.0.xsd"/></SOAP-E*
*NV:Header><SOAP-ENV:Body><SOAP-E*
*NV:Fault xmlns=""><faultcode>SOA*
*P-ENV:MustUnderstand</faultcode>*
*<faultstring>Header block local *
*name 'Security' is not defined t*
*o CICS. Mustunderstand check fai*
*led for the header block.</fault*
*string></SOAP-ENV:Fault></SOAP-E*
*NV:Body></SOAP-ENV:Envelope>    *
.
The problem here is that when DFHWSSE1 reconstructs the SOAP
message to pass on to the rest of the pipeline it filters out
the <Security> element.  However, this filtering hardcodes the
namespace prefix as wsse.  In the failing case the namespace
prefix is "s" so the element is not removed.  When the SOAP
handler processes the headers it finds the <Security> element
with mustUnderstand="1" and no defined header so returns a SOAP
Fault.

Additional Symptom(s) Search Keyword(s): KIXREVDAM

Local fix

  • n/a

Problem summary

  • ****************************************************************
* USERS AFFECTED: All CICS users.                              *
****************************************************************
* PROBLEM DESCRIPTION: Unexpected SOAP Fault returned when     *
*                      CICS is a web service provider and the  *
*                      inbound SOAP message is encrypted.      *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
CICS is acting as a web service provider.  The PIPELINE is
configured to support WS-Security.

An encrypted SOAP message is sent in to CICS.  The message is
correctly decrypted by the CICS WS-Security handler.  At the
end of that process the <Security> element should be removed
from the message so that it is not seen by any of the later
stages of the PIPELINE.  The removal of the element relies on
the namespace prefix for WS-Security being "wsse".  In this
case the prefix in use within the message was "s".  This
caused the <Security> element to remain in the message.

When the CICS SOAP handler was invoked it found the <Security>
element with the mustUnderstand attribute set.  There were no
SOAP header handler programs defined to process this header
so a SOAP Fault was returned.

If the SOAP message was signed then the WS-Security handler
is only able to locate the security token used to create the
signature if the namespace prefix for WS-Security is "wsse".
If the prefix is something else (for example "s") then a SOAP
Fault is returned indicating there was an InvalidSecurityToken.
This is the problem reported in APAR PI12470.

Problem conclusion

  • The CICS WS-Security handler has been updated to process
WS-Security elements regardless of the actual namespace prefix
being used in the inbound message.

This APAR includes the fix for PI12470.

Temporary fix

  • FIX AVAILABLE BY PTF ONLY

Comments

  • 



APAR Information




    

  • APAR number
    PI12196
    • 

  • Reported component name
    CICS TS Z/OS V5
    • 

  • Reported component ID
    5655Y0400
    • 

  • Reported release
    700
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2014-02-20
    • 

  • Closed date
    2014-10-09
    • 

  • Last modified date
    2014-11-04
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
PI12448 UI22086
    

    • 



Modules/Macros


    

  • DFHWS002 DFHWS003 DFHWS004 DFHWS005 DFHWS006 DFHWS007 DFHWS008
DFHWS009 DFHWS010 DFHWS011 DFHWS012 DFHWS013 DFHWS014 DFHWS015
DFHWS016 DFHWS017 DFHWS018 DFHWS019 DFHWS020 DFHWS021 DFHWS022
DFHWS023 DFHWS024 DFHWS025 DFHWS026 DFHWS027 DFHWS028 DFHWS029
DFHWS030 DFHWS031 DFHWS032 DFHWS033 DFHWS034 DFHWS035 DFHWS036
DFHWS037 DFHWS038 DFHWS039 DFHWS040 DFHWS041 DFHWS042 DFHWS043
DFHWS044 DFHWS045 DFHWS046 DFHWS047 DFHWS048 DFHWS049 DFHWS050
DFHWS051 DFHWS052 DFHWS053 DFHWS054 DFHWS055 DFHWS056 DFHWS057
DFHWS058 DFHWS059 DFHWS060 DFHWS061 DFHWS062 DFHWS064 DFHWS065
DFHWS066 DFHWS068 DFHWS069 DFHWS070 DFHWS071 DFHWS072 DFHWS073
DFHWS074 DFHWS075 DFHWS076 DFHWS077 DFHWS078 DFHWS079 DFHWS081
DFHWS082 DFHWS083 DFHWS084 DFHWS085 DFHWS086 DFHWS087 DFHWS088
DFHWS089 DFHWS090 DFHWS091 DFHWS092 DFHWS122 DFHWS123

    



Fix information


    

  • Fixed component name
    CICS TS Z/OS V4
    • 

  • Fixed component ID
    5655S9700
    • 



Applicable component levels


    

  • R70W  PSY  UI22086
       UP14/10/16  P  F410
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.2","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.2","Edition":"","Line of Business":{"code":"","label":""}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            04 November 2014
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback