A fix is available
APAR status
Closed as program error.
Error description
If you have a space in the CERTIFICATE label on your Corbaserver definition, this will fail when you try to publish the Corbaserver with an INVALID_CERTIFICATE_LABEL trace entry. The following messages may occur: DFHII0235 E The request processor is unable to send a request to a target ORB. DFHII1009 E Failure com.ibm.cics.domains.DomainException: Class: Dfhiirpj, function: INVOKE, response: EXCEPTION, reason: SEND_REQUEST_FAILED issuing IIRP invoke. DFHEJ0601 W jndiUnavailGenErr "NMSV0603E: Naming Service unavailable. Could not get the root context." DFHII1031 E Unable to obtain JNDI InitialContext for CORBASERVER. DFHII1018 E Failed to bind CORBA stateless GenericFactory for CORBASERVER to JNDI subcontext InitialContext as GenericFactory. Exception com.ibm.cics.iiop.JndiContextException: JNDI InitialContext unavailable was received. Trace will show: SO 0813 SOSE *EXC* - INVALID_CERTIFICATE_LABEL FUNCTION(SECURE_SOC_INIT) RESPONSE(EXCEPTION) REASON() GSK_RETURN_CODE(0) CERTIFICATE_USERID() CIPHERS_SELECTED(0000000000) The SO 0813 eyecatcher area in the trace will show only up to the first blank in the certificate label. Following this may be an SO 0D0F SOSO ENTRY - CLOSE trace and it will show a null (x'00' ebcdic) instead of a space in the certificate label. There may also be an SO 0D23 SOSO ENTRY - TAKE_SOCKET and SO 0D24 SOSO EXIT - TAKE_SOCKET and they will also show the null. The problem is that the blank in the certificate name has been replaced by a null. The routines interfacing with the system SSL code are in C so this null acts as a string terminator. This causes only the characters up to the first space (or null) to be the certificate label that gets passed to system SSL. This is not found in the keyring so you get the error. Additional keywords: PERFORM CORBASERVER PUBLISH DFHSOSE CEEPIPI DFHSOSK SOSK_INVALID_CERTIFICATE_LABEL certdname_ptr gsk_get_dn_by_label(certlabel_ptr) sock_init_ssl_socket
Local fix
If the certificate is the keyring default, you do not need to specify the label in CICS on the Corbaserver definition. Just let the default be used automatically. To do this just remove the CERTIFICATE value on the CORBASERVER definition, Discard the current Corbaserver definition and Install the new CORBASERVER definition without the CERTIFICATE(label) value. If the certificate is not the default, then change the spaces to something else, such as "-" in both the CORBASERVER definition and the security package.
Problem summary
**************************************************************** * USERS AFFECTED: All * **************************************************************** * PROBLEM DESCRIPTION: An attempt to publish a CICS * * CORBASERVER over a secure connection * * fails. * **************************************************************** * RECOMMENDATION: * **************************************************************** An attempt to publish a CICS CORBASERVER to a name server over a secure socket using SSL fails if the label of the certificate used by CICS contains embedded blanks. During secure socket initialization, CICS replaces all blanks (X'40') in the certificate label with nulls (X'00'). If the label has embedded blanks, this has the effect of truncating the label when used as a parameter in System SSL calls. This results in a failure to establish the secure socket. Additional keywords: DFHII0235 MSGDFHII0235 II0235 DFHII1009 MSGDFHII1009 II1009 DFHII1031 MSGDFHII1031 II1031 DFHII1018 MSGDFHII1018 II1018 DFHEJ0601 MSGDFHEJ0601 EJ0601 INVALID_CERTIFICATE_LABEL SO0813 SO 0813
Problem conclusion
DFHSOCK has been changed to replace only the trailing blanks with nulls. Embedded blanks in the label will not be replaced.
Temporary fix
FIX AVAILABLE BY PTF ONLY
Comments
**** PE06/08/15 FIX IN ERROR. SEE APAR PK29767 FOR DESCRIPTION
APAR Information
APAR number
PK06553
Reported component name
CICSTS 3.1 Z/OS
Reported component ID
5655M1500
Reported release
400
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2005-06-01
Closed date
2005-07-07
Last modified date
2006-09-29
APAR is sysrouted FROM one or more of the following:
PK03585
APAR is sysrouted TO one or more of the following:
UK05149
Modules/Macros
DESSOCK DFHSOCK
Fix information
Fixed component name
CICSTS 3.1 Z/OS
Fixed component ID
5655M1500
Applicable component levels
R400 PSY UK05149
UP05/07/12 P F507
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.1","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
29 September 2006