A fix is available
APAR status
Closed as unreproducible.
Error description
DFHSOSE calls DFHXSPW for the INQUIRE_CERTIFICATE_USERID and DFHXSPW calls DFHXSSE which returns an exception response. DFHXSPW returns the exception response to DFHSOSE. But the code in DFHSOSE is only checking for a 29 reason code, and since we had a 28, it falls through as a successful call. DFHSOSE should not be treating UNKNOWN_CERTIFICATE as a valid response. Additional Keywords: SECURE_SOC_INIT XSPW_REASON cert_unknown certificate_flag XSPW_UNKNOWN_CERTIFICATE sose_initialize_secure_socket
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All. * **************************************************************** * PROBLEM DESCRIPTION: Misleading error returned from XSPW * * INQUIRE_CERTIFICATE_USERID call if * * CICS is acting as an SSL CLIENT. * **************************************************************** * RECOMMENDATION: * **************************************************************** CICS is acting as an SSL client and in the process of this is performing code which tries to map a server certificate onto a RACF userid. In the reported problem this results in an exception from XSPW INQUIRE_CERTIFICATE_USERID with reason (UNKNOWN_CERTIFICATE). But the request goes on to complete without problems. CICS should not be attempting to map the certificate onto a RACF userid if it is acting as an SSL CLIENT. This can produce misleading exception entries in the trace and have an adverse affect on performance. CICS only needs to execute the INQUIRE_CERTIFICATE_USERID call if it is acting as an SSL SERVER with Clientauth and has received a certificate from the CLIENT. Authentication of the server certificate will be performed by the SSL handshake when CICS is acting as a CLIENT. Additional keywords: DFHXSPW DFHXSPWM
Problem conclusion
Temporary fix
FIX AVAILABLE BY PTF ONLY
Comments
DFHSOSK has been altered so that the code to set up certificate information after completing a successful SSL handshake will not be performed if CICS is acting as a CLIENT.
APAR Information
APAR number
PK43979
Reported component name
CICSTS 3.1 Z/OS
Reported component ID
5655M1500
Reported release
400
Status
CLOSED UR3
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2007-04-25
Closed date
2007-07-19
Last modified date
2007-08-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UK27351 UK27352
Modules/Macros
DESSOSE DFHLEPT@ DFHSOSK
Fix information
Fixed component name
CICSTS 3.1 Z/OS
Fixed component ID
5655M1500
Applicable component levels
R400 PSY
UP
R403 PSY UK27352
UP07/07/25 P F707
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.1","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
03 August 2007