A fix is available
APAR status
Closed as program error.
Error description
You have specified a certificate label on an urimap definition for an outbound request and have issued the EXEC CICS WEB OPEN URIMAP, but your certificate label was not passed to SSL on the gsk_secure_soc_init call. Your target server is using SSL, but you are going through a Proxy server (set up using the XWBOPEN exit). . Since no certificate was passed to SSL from the client (CICS), SSL will use the Default certificate if there is one defined in the RACF Keyring. If there isn't a default certificate, it fails the INQUIRE_CERTIFICATE_USERID with an exception and reason UNKNOWN_CERTIFICATE in DFHXSSE and DFHXSPW, and the trace will show SO 080C SOSE *EXC* - SYSTEM_SSL_ERROR GSK_RESPONSE(GSK_ERR_NO_CIPHERS) FUNCTION(SECURE_SOC_READ) RESPONSE(EXCEPTION) REASON(CLIENT_ERROR) GSK_RETURN_CODE(192) RECEIVE_BUFFER(430E5000 , 00000000 , 00001000). . CICS is correctly not using a certificate on the initial PROXY request. However, after this CONNECT is successful and a proxy tunnel opened, CICS switches the socket to SSL. In doing so it needs to also set the certificate and ciphers to use. This is not being done. . Additional Keywords: DFHSO0123 Return code 402 received from function 'gsk_secure_socket_init' of System SSL. Reason: No common ciphers negotiated. gsk_attribute_set_buffer with an ID 203 in an SSL trace would indicate a certificate had been passed to System SSL. In this failure, there was no ID 203 since no certificate was passed.
Local fix
Specify a default certificate in the RACF Keyring until this fix is available.
Problem summary
**************************************************************** * USERS AFFECTED: All CICS Users * **************************************************************** * PROBLEM DESCRIPTION: When EXEC CICS WEB OPEN is used to * * establish a connection with a remote * * SSL server through a proxy, any CIPHERS * * or CERTIFICATE parameters specified on * * the command or on the referenced URIMAP * * are not used on the SSL connection. * **************************************************************** * RECOMMENDATION: * **************************************************************** When a proxy is being used for an outbound HTTP session, an initial non-SSL connection is first established with the proxy, using the HTTP CONNECT method. Only after this connection is established is the session changed to use SSL. During the switch to SSL, the CIPHERS and CERTIFICATE parameters from the WEB OPEN command, or from the associated URIMAP, are ignored.
Problem conclusion
The SET_SOCKET_OPTS function of DFHSOCK has been modified to accept the CIPHERS and CERTIFICATE parameters, and DFHWBCL has been modified to specify these parameters when it uses the function to switch to SSL after establishing a proxy connection.
Temporary fix
FIX AVAILABLE BY PTF ONLY
Comments
APAR Information
APAR number
PK50017
Reported component name
CICSTS V3 Z/OS
Reported component ID
5655M1500
Reported release
400
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2007-07-30
Closed date
2007-12-13
Last modified date
2008-01-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UK32328 UK32329 UK32330 UK32331 UK32332 UK32333
Modules/Macros
DESSOAD DESSOCK DESSODM DESSODUF DESSOIS DESSOLS DESSOST DESSOTB DESSOTD DESWBCL DFHSOAD DFHSOADA DFHSOADM DFHSOADT DFHSOCBA DFHSOCBM DFHSOCBT DFHSOCK DFHSOCKA DFHSOCKJ DFHSOCKM DFHSOCKT DFHSOCKV DFHSODM DFHSODUF DFHSOGH DFHSOIS DFHSOISA DFHSOISJ DFHSOISM DFHSOIST DFHSOISV DFHSOLS DFHSOLSA DFHSOLSM DFHSOLST DFHSOPAA DFHSOPAM DFHSOPAT DFHSOST DFHSOTB DFHSOTBA DFHSOTBM DFHSOTBT DFHSOTDC DFHSOTDD DFHWBCL DFHWBCLA DFHWBCLB DFHWBCLC DFHWBCLD DFHWBCLH DFHWBCLI DFHWBCLJ DFHWBCLL DFHWBCLM DFHWBCLO DFHWBCLT DFHWBCLV
Fix information
Fixed component name
CICSTS V3 Z/OS
Fixed component ID
5655M1500
Applicable component levels
R400 PSY UK32328
UP07/12/19 P F712
R403 PSY
UP
R500 PSY UK32330
UP07/12/19 P F712
R501 PSY UK32331
UP07/12/19 P F712
R502 PSY UK32332
UP07/12/19 P F712
R503 PSY UK32333
UP07/12/19 P F712
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.1","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
02 January 2008