IBM Support

PK56206: PROVIDER PIPELINE BLIND/BASIC DOES NOT CHECK PASSWORD

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When using WS-Security with authentication set to
    mode="basic" trust="blind" DFHPITC is failing to verify the
    optional password if one is supplied with the trusted userid.
    .
    ADDITIONAL KEYWORDS: DFHWSSE1 DFHWSSE dfhwsse_configuration
                         wsse_handler
    Additonal problem:
    A provider pipeline defined with the following <wsse_handler>
    element may generate a SOAP Fault.
    .
    <wsse_handler>
      <dfhwsse_configuration version="1">
        <authentication trust="none" mode="basic">
        </authentication>
      </dfhwsse_configuration>
    </wsse_handler>
    .
    The SOAP Fault is returned by DFHWSSE1 because it cannot find
    the <wsse:Security> header in the incoming message.  The header
    is not found because DFHPITC has already processed and removed
    it.  DFHPITC extracted the userid and password successfully.
    Afterwards it calls DFHCCNV to convert the userid and password
    from UTF-8 to EBCDIC.  This works.  It also calls DFHCCNV to
    convert data areas that are used to old the second userid and
    password used.  These aren't used by this request because
    trust=none was specified so they contain uninitialised data.
    This causes the calls to DFHCCNV to return an exception which
    in turn causes DFHPITC to return an exception.  Due to the
    exception being returned by DFHPITC, DFHWSSE1 gets called
    and returns the SOAP Fault.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All CICS users.                              *
    ****************************************************************
    * PROBLEM DESCRIPTION: WS Security authentication with         *
    *                      trust="blind" and mode="basic" does     *
    *                      not validate the password if one is     *
    *                      provided.                               *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    A web service requester using WS-Security submits a request to
    CICS acting as a service provider.
    The provider pipeline configuration file has an authentication
    element with trust=blind and mode=basic. This means that the
    password is optional. However if the password is provided it
    should be validated and this is not occurring.
    

Problem conclusion

  • DFHPITC has been changed to validate the password if present,
    when trust="blind" and mode="basic" has been requested on the
    authentication. The password validation has also been altered to
    copy the correct lengths of the ascii versions of the userid and
    password fields.
    

Temporary fix

  • FIX AVAILABLE BY PTF ONLY
    

Comments

APAR Information

  • APAR number

    PK56206

  • Reported component name

    CICSTS V3 Z/OS

  • Reported component ID

    5655M1500

  • Reported release

    500

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2007-11-08

  • Closed date

    2008-05-29

  • Last modified date

    2008-10-30

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UK36767

Modules/Macros

  •    DESPITC  DFHPITC  DFHPITCA DFHPITCM DFHPITCT
    

Fix information

  • Fixed component name

    CICSTS V3 Z/OS

  • Fixed component ID

    5655M1500

Applicable component levels

  • R500 PSY UK36767

       UP08/06/03 P F806

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.2","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.2","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
30 October 2008