A fix is available
APAR status
Closed as program error.
Error description
You receive the message for an outbound SSL request from CICS: DFHSO0123 Return code 8 received from function 'gsk_secure_socket_init' of System SSL. Reason: Certificate rejected by peer. Peer: xxx.xxx.xxx.xxx, TCPIPSERVICE: *NONE*. The messages indicates that the other side could not authenticate what we were sending in the SSL handshake. However, after capturing a TCPIP packet trace, it shows that actually one of the signing certificate authority certificates of the other side was not in the CICS keyring. This APAR will update the message insert on the DFHSO0123 message when GSK_ERR_CERT_VALIDATION is returned to "Certificate validation failure" to better indicate what the problem is. Additional Symptom(s) Search Keyword(s): KIXREVGJT
Local fix
N/A
Problem summary
**************************************************************** * USERS AFFECTED: All CICS users. * **************************************************************** * PROBLEM DESCRIPTION: The reason description for message * * DFHSO0123 with return code 8 from * * 'gsk_secure_socket_init' is * * misleading. * **************************************************************** * RECOMMENDATION: * **************************************************************** Message DFHSO0123 is received for an outbound SSL request from CICS: DFHSO0123 Return code 8 received from function 'gsk_secure_socket_init' of System SSL. Reason: Certificate rejected by peer. It indicates CICS certificate had been rejected by the remote system. It is misleading, the problem could be with either the CICS certificate or the certificate presented by the remote server. Additional Keywords: msgDFHSO0123 SO0123
Problem conclusion
Message DFHSO0123 has been updated to say "Certificate validation failed" with return code 8. Message explanation also enhanced to say "If the brief interpretation of the return code is Certificate validation failed then either the server or client certificate (if client certificates are being used) is invalid." The CICS Transaction Server for z/OS Version 5 Release 2, CICS Messages and Codes Vol 2, GC34-7284-00, Chapter 4. DFH messages - DFHN to DFHZ, section DFHSOnnnn messages, message DFHSO0123 The reason insert "Certificate rejected by peer" has been replaced with "Certificate validation failed". The message explanation has been enhanced to say "If the brief interpretation of the return code is Certificate validation failed then either the server or client certificate (if client certificates are being used) is invalid."
Temporary fix
FIX AVAILABLE BY PTF ONLY
Comments
APAR Information
APAR number
PI60615
Reported component name
CICS TS Z/OS V5
Reported component ID
5655Y0400
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-04-11
Closed date
2016-06-19
Last modified date
2016-07-04
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
PI62251 UI38871
Modules/Macros
DFHMESOC DFHMESOE DFHMESOK
GC34728400 |
Fix information
Fixed component name
CICS TS Z/OS V5
Fixed component ID
5655Y0400
Applicable component levels
R900 PSY UI38871
UP16/07/01 P F606
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.2","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.2","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
04 July 2016