A fix is available
APAR status
Closed as program error.
Error description
Developing some application code to show a java application in WebSphere App Server ( WAS ) V8.5.5 on my Windows PC doing a Web Service call to CICS on a z/OS LPAR using Message Encryption. . Attempting to use the following Method: . Method:. WAS supplies a standard approach called Policy Sets, where you can create Web Service related policy sets that specify the certificates etc, and then attach these to the java application deployed in WAS. . The 1st part of the Request looks like so: . <?xml version="1.0"?> - <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> - <soapenv:Header> - <s:Security soapenv:mustUnderstand="1" . The following errors appear in the WAS Log. . ServletWrappe E com.ibm.ws.webcontainer.servlet.ServletWrapper service SRVE0068E: An exception was thrown by one of the service methods of the servlet [com.ibm.demoWS.CallCicsWebServiceNoSec] in application [WAS-to-CICS-WebService]. Exception created : [javax.xml.ws.soap.SOAPFaultException: Header block local name 'Security' is not defined to CICS. Mustunderstand check failed for the header block. . In the CICS Internal Trace you see the following: . 0201 SOCK ENTRY - FUNCTION(SEND) BUFFER_LIST(12345678 , 00000002) . *HTTP/1.1 500 Internal Server Err* *or ..Date: Tue, 11 Feb* * 2014 03:59:25 GMT..Server: IBM_* *CICS_Transaction_Server/5.1.0(zO* *S)..Content-Type: text/xml; char* *set=UTF-8..Content-Length: 00000* *0000000636..Connection: Keep-Ali* *ve.... * *<?xml version="1.0" encoding="UT* *F-8" standalone="no" ?><SOAP-ENV* *:Envelope xmlns:SOAP-ENV="http:/* */schemas.xmlsoap.org/soap/envelo* *pe/" xmlns:soapenv="http://schem* *as.xmlsoap.org/soap/envelope/"><* *SOAP-ENV:Header><SOAP-ENV:NotUnd* *erstood qname="s:Security" xmlns* *:s="http://docs.oasis-open.org/w* *ss/2004/01/oasis-200401-wss-wsse* *curity-secext-1.0.xsd"/></SOAP-E* *NV:Header><SOAP-ENV:Body><SOAP-E* *NV:Fault xmlns=""><faultcode>SOA* *P-ENV:MustUnderstand</faultcode>* *<faultstring>Header block local * *name 'Security' is not defined t* *o CICS. Mustunderstand check fai* *led for the header block.</fault* *string></SOAP-ENV:Fault></SOAP-E* *NV:Body></SOAP-ENV:Envelope> * . The problem here is that when DFHWSSE1 reconstructs the SOAP message to pass on to the rest of the pipeline it filters out the <Security> element. However, this filtering hardcodes the namespace prefix as wsse. In the failing case the namespace prefix is "s" so the element is not removed. When the SOAP handler processes the headers it finds the <Security> element with mustUnderstand="1" and no defined header so returns a SOAP Fault. Additional Symptom(s) Search Keyword(s): KIXREVDAM
Local fix
n/a
Problem summary
**************************************************************** * USERS AFFECTED: All CICS users. * **************************************************************** * PROBLEM DESCRIPTION: Unexpected SOAP Fault returned when * * CICS is a web service provider and the * * inbound SOAP message is encrypted. * **************************************************************** * RECOMMENDATION: * **************************************************************** CICS is acting as a web service provider. The PIPELINE is configured to support WS-Security. An encrypted SOAP message is sent in to CICS. The message is correctly decrypted by the CICS WS-Security handler. At the end of that process the <Security> element should be removed from the message so that it is not seen by any of the later stages of the PIPELINE. The removal of the element relies on the namespace prefix for WS-Security being "wsse". In this case the prefix in use within the message was "s". This caused the <Security> element to remain in the message. When the CICS SOAP handler was invoked it found the <Security> element with the mustUnderstand attribute set. There were no SOAP header handler programs defined to process this header so a SOAP Fault was returned. If the SOAP message was signed then the WS-Security handler is only able to locate the security token used to create the signature if the namespace prefix for WS-Security is "wsse". If the prefix is something else (for example "s") then a SOAP Fault is returned indicating there was an InvalidSecurityToken. This is the problem reported in APAR PI13903.
Problem conclusion
The CICS WS-Security handler has been updated to process WS-Security elements regardless of the actual namespace prefix being used in the inbound message. This APAR includes the fix for PI13903.
Temporary fix
FIX AVAILABLE BY PTF ONLY
Comments
APAR Information
APAR number
PI12448
Reported component name
CICS TS Z/OS V5
Reported component ID
5655Y0400
Reported release
800
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2014-02-25
Closed date
2014-10-09
Last modified date
2015-03-05
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI22088 UI22089
Modules/Macros
DFHWS002 DFHWS003 DFHWS004 DFHWS005 DFHWS006 DFHWS007 DFHWS008 DFHWS009 DFHWS010 DFHWS011 DFHWS012 DFHWS013 DFHWS014 DFHWS015 DFHWS016 DFHWS017 DFHWS018 DFHWS019 DFHWS020 DFHWS021 DFHWS022 DFHWS023 DFHWS024 DFHWS025 DFHWS026 DFHWS027 DFHWS028 DFHWS029 DFHWS030 DFHWS031 DFHWS032 DFHWS033 DFHWS034 DFHWS035 DFHWS036 DFHWS037 DFHWS038 DFHWS039 DFHWS040 DFHWS041 DFHWS042 DFHWS043 DFHWS044 DFHWS045 DFHWS046 DFHWS047 DFHWS048 DFHWS049 DFHWS050 DFHWS051 DFHWS052 DFHWS053 DFHWS054 DFHWS055 DFHWS056 DFHWS057 DFHWS058 DFHWS059 DFHWS060 DFHWS061 DFHWS062 DFHWS064 DFHWS065 DFHWS066 DFHWS068 DFHWS069 DFHWS070 DFHWS071 DFHWS072 DFHWS073 DFHWS074 DFHWS075 DFHWS076 DFHWS077 DFHWS078 DFHWS079 DFHWS081 DFHWS082 DFHWS083 DFHWS084 DFHWS085 DFHWS086 DFHWS087 DFHWS088 DFHWS089 DFHWS090 DFHWS091 DFHWS092 DFHWS122 DFHWS123
Fix information
Fixed component name
CICS TS Z/OS V5
Fixed component ID
5655Y0400
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.1","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
05 March 2015