IBM Support

PK06553: INVALID CERTIFICATE LABEL WHEN TRYING TO PUBLISH A CORBASERVER IN CICS. A CERTIFICATE(LABEL) WAS SPECIFIED ON CORBASERVER DEF.

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • If you have a space in the CERTIFICATE label on your Corbaserver
definition, this will fail when you try to publish the
Corbaserver with an INVALID_CERTIFICATE_LABEL trace entry.  The
following messages may occur:

DFHII0235 E The request processor is unable to send a request to
  a target ORB.
DFHII1009 E Failure com.ibm.cics.domains.DomainException: Class:
  Dfhiirpj, function: INVOKE, response: EXCEPTION, reason:
  SEND_REQUEST_FAILED issuing IIRP invoke.
DFHEJ0601 W jndiUnavailGenErr "NMSV0603E: Naming Service
  unavailable. Could not get the root context."
DFHII1031 E Unable to obtain JNDI InitialContext for
  CORBASERVER.
DFHII1018 E Failed to bind CORBA stateless GenericFactory for
  CORBASERVER to JNDI subcontext InitialContext as
  GenericFactory. Exception
  com.ibm.cics.iiop.JndiContextException: JNDI  InitialContext
  unavailable was received.

Trace will show:
SO 0813 SOSE *EXC* - INVALID_CERTIFICATE_LABEL
  FUNCTION(SECURE_SOC_INIT) RESPONSE(EXCEPTION) REASON()
  GSK_RETURN_CODE(0) CERTIFICATE_USERID()
  CIPHERS_SELECTED(0000000000)

The SO 0813 eyecatcher area in the trace will show only up to
the first blank in the certificate label.  Following this may be
an SO 0D0F SOSO  ENTRY - CLOSE trace and it will show a null
(x'00' ebcdic) instead of a space in the certificate label.
There may also be an SO 0D23 SOSO  ENTRY - TAKE_SOCKET and SO
0D24 SOSO  EXIT  - TAKE_SOCKET and they will also show the null.

The problem is that the blank in the certificate name has been
replaced by a null.  The routines interfacing with the system
SSL code are in C so this null acts as a string terminator.
This causes only the characters up to the first space (or null)
to be the certificate label that gets passed to system SSL.
This is not found in the keyring so you get the error.

Additional keywords:
PERFORM CORBASERVER PUBLISH DFHSOSE CEEPIPI DFHSOSK
SOSK_INVALID_CERTIFICATE_LABEL certdname_ptr
gsk_get_dn_by_label(certlabel_ptr) sock_init_ssl_socket

Local fix

  • If the certificate is the keyring default, you do not need to
specify the label in CICS on the Corbaserver definition.  Just
let the default be used automatically.  To do this just remove
the CERTIFICATE value on the CORBASERVER definition, Discard the
current Corbaserver definition and Install the new CORBASERVER
definition without the CERTIFICATE(label) value.

If the certificate is not the default, then change the spaces to
something else, such as "-" in both the CORBASERVER definition
and the security package.

Problem summary

  • ****************************************************************
* USERS AFFECTED: All                                          *
****************************************************************
* PROBLEM DESCRIPTION: An attempt to publish a CICS            *
*                      CORBASERVER over a secure connection    *
*                      fails.                                  *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
An attempt to publish a CICS CORBASERVER to a name server over a
secure socket using SSL fails if the label of the certificate
used by CICS contains embedded blanks.

During secure socket initialization, CICS replaces all blanks
(X'40') in the certificate label with nulls (X'00'). If the
label has embedded blanks, this has the effect of truncating the
label when used as a parameter in System SSL calls. This results
in a failure to establish the secure socket.

Additional keywords: DFHII0235 MSGDFHII0235 II0235
                     DFHII1009 MSGDFHII1009 II1009
                     DFHII1031 MSGDFHII1031 II1031
                     DFHII1018 MSGDFHII1018 II1018
                     DFHEJ0601 MSGDFHEJ0601 EJ0601
                     INVALID_CERTIFICATE_LABEL SO0813 SO 0813

Problem conclusion

  • DFHSOCK has been changed to replace only the trailing blanks
with nulls. Embedded blanks in the label will not be replaced.

Temporary fix

  • FIX AVAILABLE BY PTF ONLY

Comments

  • ž**** PE06/08/15 FIX IN ERROR. SEE APAR PK29767  FOR DESCRIPTION

APAR Information

  • APAR number

    PK06553

  • Reported component name

    CICSTS 3.1 Z/OS

  • Reported component ID

    5655M1500

  • Reported release

    400

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2005-06-01

  • Closed date

    2005-07-07

  • Last modified date

    2006-09-29

  • APAR is sysrouted FROM one or more of the following:

    PK03585

  • APAR is sysrouted TO one or more of the following:

    UK05149

Modules/Macros

  •    DESSOCK  DFHSOCK

Fix information

  • Fixed component name

    CICSTS 3.1 Z/OS

  • Fixed component ID

    5655M1500

Applicable component levels

  • R400 PSY UK05149

       UP05/07/12 P F507

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.1","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
29 September 2006

Page Feedback