IBM Support

PK22880: A SOAP FOR CICS REQUEST COMES INTO CICS OVER A SECURE HTTPS CONNECTION AND RECEIVES DFHSO0123 RETURN CODE '439'.

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • A SOAP for CICS request comes into CICS over a secure HTTPS
connection. It includes HTTP header Connection: close.  After
the response is sent, CICS will automatically close the socket
rather than issue another receive.  A SOSE_SECURE_SOC_CLOSE call
is made and system SSL sends a message to the SSL partner to
indicate that the session is being closed. This completes
normally and CICS resets hs_complete as we do not expect to ask
system SSL to perform any more SENDs/RECEIVEs of data.
.
However, before actually closing the socket we attempt to purge
any outstanding data on the socket which has not been received.
Failure to do this can cause TCPIP to flow a socket error to the
remote client.
.
CICS uses IOCTL to detect that there is some data on the socket
so a RECEIVE is issued to discard the data. There is no need to
go through system SSL to receive this data. In previous CICS
releases, the low-level receive would go directly to the socket
for data rather than going through system SSL.
.
However, CICS TS 3.1 now detects that this is a secure socket in
the low-level receive logic.  As hs_complete is false, it
attempts to initiate a new handshake by issuing a
SECURE_SOC_INIT call.  This is nonsensical as we have just
terminated the SSL session and all we are trying to do is
discard data which is still on the socket.
.
We need to change the purge_recv routine of DFHSOS03 so that the
Socket.receive call indicates that data should be received
directly from TCPIP without driving system SSL.
.
External Symptoms for customer may be  MSGDFHSO0123 DFHSO0123
SO0123 with return codes of RC439 439, RC431 431 or RC405 405,
accompanied afterward by a MSGDFHSO0002 DFHSO0002 SO0002 code
X'080C' 080C in DFHSOSE
.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: All.                                         *
****************************************************************
* PROBLEM DESCRIPTION: When using TCPIPSERVICE with SSL,       *
*                      message DFHSO0123 'SSL protocol         *
*                      violations' may be issued.              *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
A SOAP message is received into CICS on an inbound HTTPS
connection with a request Header that contains Connection:close.
This will result in the socket being closed after the request
has been handled and any data left on the socket will be purged.
However, the purge process incorrectly attempts to initiate a
new SSL handshake against the socket which is being closed,
causing an error and message DFHSO0123 to be issued.
The return code in the message will vary depending on the data
that was left on the socket. Message DFHSO0002 A severe error
(code X'080C') has occurred in module DFHSOSE may also be
issued.

Additional Keywords : gsk_secure_socket_init HTTPSSL SO0002
                      MSGDFHSO0123 MSGDFHSO0002

    



Problem conclusion


    

  • DFHSOS03 has been changed so the Socket.receive call in routine
purge_recv will receive data directly off the socket rather than
calling System SSL.

    



Temporary fix


    

  • FIX AVAILABLE BY PTF ONLY

    



Comments


    

  • 



APAR Information




    

  • APAR number
    PK22880
    • 

  • Reported component name
    CICSTS 3.1 Z/OS
    • 

  • Reported component ID
    5655M1500
    • 

  • Reported release
    400
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2006-04-05
    • 

  • Closed date
    2006-05-25
    • 

  • Last modified date
    2006-06-03
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UK14869
    

    • 



Modules/Macros


    

  •    DESSOSO  DFHSOSOC DFHSOS00 DFHSOS01 DFHSOS02
DFHSOS03 DFHSOS04 DFHSOS05 DFHSOS06 DFHSOS07 DFHSOS08 DFHSOS09
DFHSOS10 DFHSOS11 DFHSOS12 DFHSOS13 DFHSOS14 DFHSOS15 DFHSOS16
DFHSOS17 DFHSOS18 DFHSOS19 DFHSOS20 DFHSOS21 DFHSOS22 DFHSOS23

    



Fix information


    

  • Fixed component name
    CICSTS 3.1 Z/OS
    • 

  • Fixed component ID
    5655M1500
    • 



Applicable component levels


    

  • R400  PSY  UK14869
       UP06/05/31  P  F605
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.1","Edition":"","Line of Business":{"code":"","label":""}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            03 June 2006
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback