A fix is available
APAR status
Closed as program error.
Error description
There is an attack on the region's TCPIPSERVICE causing a flood of messages and a system dump to occur. . The following messages appear in the CICS Log: . DFHSO0123 03/08/2014 01:21:45 CICSREGN Return code 433 received from function 'gsk_secure_socket_init' of System SSL. Reason: Unrecognized return code. Peer: 111.22.111.22, TCPIPSERVICE: YOURSRVC. DFHWB0732 03/08/2014 01:21:49 CICSREGN CWXN CICS Web attach processing encountered a sockets I/O error while receiving a client request. Host IP address: 222.11.222.11. Client IP address: 111.22.111.22. TCPIPSERVICE: YOURSRVC . DFHSO0002 CICSREGN A severe error (code X'080C') has occurred in module DFHSOSE. . Need to prevent the DFHSO0002 dump from being produced and and a more useful description of the return code 433. . You will see the following Trace Entry for this error: . SO 080C SOSE *EXC* - SYSTEM_SSL_ERROR GSK_RESPONSE (GSK_ERR_EXPORT_RESTRICTION) FUNCTION(SECURE_SOC_INIT) RESPONSE(DISASTER) REASON(GSK_ERROR) GSK_RETURN_CODE(1B1) "Dec 433" CERTIFICATE_USERID() CIPHER_SELECTED() . GSK_RETURN_CODE(1B1) means: - The above error is x'1B1' ( 433 dec ) which is: - Key exceeds allowable export size. - Explanation: The key size used for an export cipher suite exceeds the allowable maximum size. For RSA and DSA keys, the maximum export key size is 512 bits. If the certificate key is larger than 512 bits, the SSL runtime will use a temporary 512-bit key for the connection. Additional Symptom(s) Search Keyword(s): KIXREVDAM RC433 MSGDFHSO0123 MSGDFHWB0732 MSGDFHSO0002
Local fix
n/a
Problem summary
**************************************************************** * USERS AFFECTED: All CICS users. * **************************************************************** * PROBLEM DESCRIPTION: DFHSO0002 is issued when SSL fails with * * GSK_ERR_EXPORT_RESTRICTION (response * * code 433). * **************************************************************** * RECOMMENDATION: * **************************************************************** CICS is setup with SSL. A client connects to CICS and a secure socket connection is initialized. If the key size used for an export cipher suite exceeds the allowable maximum size, the socket initialization will fail with gsk response code 433. CICS treats the 433 as an unrecognized return code and issues message DFHSO0123 to report the error code. In addition, DFHSO0002 is issued and a system dump is taken. The response code 433 should be treated as an client side error, the DFHSO0002 and the system dump is unnecessary for this type of error. Additional Keywords: msgDFHSO0123 SO0123 msgDFHSO0002 SO0002
Problem conclusion
DFHSOSE has been changed to issue message DFHSO1023 with the correct description, when gsk returns response code 433. The DFHSO0002 is not issued and a system dump is not taken. CICS Transaction Server for z/OS Version 4 Release 1 CICS Messages and Codes, GC34-7035-03 has amended the description of message DFHSO0123. Change the line "43=Server name not recognized}" to "43=Server name not recognized, 46=Export restriction}". Change the line "Server name not recognized}." to "Server name not recognized | Export restriction}.". CICS Transaction Server for z/OS Version 4 Release 2 CICS Messages and Codes Vol 2, GC34-7176-01 has amended the description of message DFHSO0123. Change the line "43=Server name not recognized}" to "43=Server name not recognized, 46=Export restriction}". Change the line "Server name not recognized}." to "Server name not recognized | Export restriction}.".
Temporary fix
FIX AVAILABLE BY PTF ONLY
Comments
APAR Information
APAR number
PI15836
Reported component name
CICS TS Z/OS V4
Reported component ID
5655S9700
Reported release
600
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2014-04-11
Closed date
2014-06-27
Last modified date
2014-08-04
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
PI18375 UI19335 UI19336
Modules/Macros
DFHMESOC DFHMESOE DFHMESOK DFHSOSE DFH15836
GC34703503 | GC34717601 |
Fix information
Fixed component name
CICS TS Z/OS V4
Fixed component ID
5655S9700
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.1","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
04 August 2014