A fix is available
APAR status
Closed as program error.
Error description
When using WS-Security with authentication set to mode="basic" trust="blind" DFHPITC is failing to verify the optional password if one is supplied with the trusted userid. . ADDITIONAL KEYWORDS: DFHWSSE1 DFHWSSE dfhwsse_configuration wsse_handler Additonal problem: A provider pipeline defined with the following <wsse_handler> element may generate a SOAP Fault. . <wsse_handler> <dfhwsse_configuration version="1"> <authentication trust="none" mode="basic"> </authentication> </dfhwsse_configuration> </wsse_handler> . The SOAP Fault is returned by DFHWSSE1 because it cannot find the <wsse:Security> header in the incoming message. The header is not found because DFHPITC has already processed and removed it. DFHPITC extracted the userid and password successfully. Afterwards it calls DFHCCNV to convert the userid and password from UTF-8 to EBCDIC. This works. It also calls DFHCCNV to convert data areas that are used to old the second userid and password used. These aren't used by this request because trust=none was specified so they contain uninitialised data. This causes the calls to DFHCCNV to return an exception which in turn causes DFHPITC to return an exception. Due to the exception being returned by DFHPITC, DFHWSSE1 gets called and returns the SOAP Fault.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All CICS users. * **************************************************************** * PROBLEM DESCRIPTION: WS Security authentication with * * trust="blind" and mode="basic" does * * not validate the password if one is * * provided. * **************************************************************** * RECOMMENDATION: * **************************************************************** A web service requester using WS-Security submits a request to CICS acting as a service provider. The provider pipeline configuration file has an authentication element with trust=blind and mode=basic. This means that the password is optional. However if the password is provided it should be validated and this is not occurring.
Problem conclusion
DFHPITC has been changed to validate the password if present, when trust="blind" and mode="basic" has been requested on the authentication. The password validation has also been altered to copy the correct lengths of the ascii versions of the userid and password fields.
Temporary fix
FIX AVAILABLE BY PTF ONLY
Comments
APAR Information
APAR number
PK56206
Reported component name
CICSTS V3 Z/OS
Reported component ID
5655M1500
Reported release
500
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2007-11-08
Closed date
2008-05-29
Last modified date
2008-10-30
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UK36767
Modules/Macros
DESPITC DFHPITC DFHPITCA DFHPITCM DFHPITCT
Fix information
Fixed component name
CICSTS V3 Z/OS
Fixed component ID
5655M1500
Applicable component levels
R500 PSY UK36767
UP08/06/03 P F806
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.2","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.2","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
30 October 2008