IBM Support

PK65352: WEBSERVICES SECURITY SOAPFAULT THROWN USING SIGN_BODY CONFIGURATION

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Webservice security is being used and the private key is
    defined via PCICC using RSA instead of ICSF as normally seen.
    .
    The failing call is:
    XSECKeyInfoResolverZos::resolvePrivateKey resulting in a call to
    the security manager via IRRSDL00. Trace shows
    SAF 00000008,0000000  ESM 00000008,00000030. Eyecatcher shows:
    XSECKeyInfoResolverZos::resolvePrivateKey - An output area is
    not long enough. One or more of the following input length
    fields were too small: Certificate_length, Private_key_length,
    or Subjects_DN_length. The length field(s) returned, contain the
    ammount of storage needed for the service to successfully return
    .
    SAF trace to GTF shows the first call to R_datalib is for
    DataGetFirst. Upon return from this call the RCs are 8,8,30x and
    RACF has changed the Certificate_length from x'400' to x'530'.
    .
    There appears to be a need for a follow-up call for function
    DataAbortQuery but this is not being done.
    
    Additional Symptom(s) Search Keyword(s):
        XSECKey InfoResolver Zos  resolve PrivateKey
    
    KIXREVSCB
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All CICS Users                               *
    ****************************************************************
    * PROBLEM DESCRIPTION: Certificate length error when using     *
    *                      Web Services Security.                  *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    A SOAP FAULT is issued when using Web Services Security with the
    following XSECException information appearing in the trace:
    
    "XSECKeyInfoResolverZos::resolvePrivateKey - An output area is
    not long enough. One or more of the following input length
    fields were too small: Certificate_length, Private_key_length,
    or Subjects_DN_length. The length field(s) returned contain the
    amount of storage needed for the service to successfully return
    data."
    
    This problem has occurred because the X509 certificate (in DER
    form) is larger than the buffer CICS provided to process it.
    

Problem conclusion

  • Web Services Security support has been altered to increase its
    buffer sizes to handle larger certificates.
    
    The CICS Transaction Server for z/OS Version 3 Release 1, Web
    Services Guide (SC34-6458-06) will be updated as follows:
    
    In Chapter 14 "Support for Web Services Security", under the
    "Prerequisites" section, change all references to version 1.7
    of the XML toolkit to version 1.9.
    .
    Also remove both the reference to hlq.SCLBDLL in point 4 of the
    Prerequisites section, and the subsequent description of its
    use: "IOSTREAM is provided by the C++ runtime and is
    found in hlq.SCLBDLL;"
    

Temporary fix

  • FIX AVAILABLE BY PTF ONLY
    

Comments

  • ž**** PE09/08/03 PTF IN ERROR. SEE APAR PK86494  FOR DESCRIPTION
    ž**** PE09/12/03 FIX IN ERROR. SEE APAR PK97657  FOR DESCRIPTION
    

APAR Information

  • APAR number

    PK65352

  • Reported component name

    CICSTS V3 Z/OS

  • Reported component ID

    5655M1500

  • Reported release

    400

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2008-04-30

  • Closed date

    2008-10-24

  • Last modified date

    2009-12-15

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UK41028 UK41029

Modules/Macros

  •    DFHWSSE1 DFHWS002 DFHWS003 DFHWS004 DFHWS005
    DFHWS006 DFHWS007 DFHWS008 DFHWS009 DFHWS010 DFHWS011 DFHWS012
    DFHWS013 DFHWS014 DFHWS015 DFHWS016 DFHWS017 DFHWS018 DFHWS019
    DFHWS020 DFHWS021 DFHWS022 DFHWS023 DFHWS024 DFHWS025 DFHWS026
    DFHWS027 DFHWS028 DFHWS029 DFHWS030 DFHWS031 DFHWS032 DFHWS033
    DFHWS034 DFHWS035 DFHWS036 DFHWS037 DFHWS038 DFHWS039 DFHWS040
    DFHWS041 DFHWS042 DFHWS043 DFHWS044 DFHWS045 DFHWS046 DFHWS047
    DFHWS048 DFHWS049 DFHWS050 DFHWS051 DFHWS052 DFHWS053 DFHWS054
    DFHWS055 DFHWS056 DFHWS057 DFHWS058 DFHWS059 DFHWS060 DFHWS061
    DFHWS062 DFHWS063 DFHWS064 DFHWS065 DFHWS066 DFHWS067 DFHWS068
    DFHWS069 DFHWS070 DFHWS071 DFHWS072 DFHWS073 DFHWS074 DFHWS075
    DFHWS076 DFHWS077 DFHWS078 DFHWS079 DFHWS080 DFHWS081 DFHWS082
    DFHWS083 DFHWS084 DFHWS085 DFHWS086 DFHWS087 DFHWS088 DFHWS089
    DFHWS090 DFHWS091 DFHWS092 DFHWS093 DFHWS094 DFHWS122 DFHWS123
    DFHXUCAN DFHXUSUB
    

Publications Referenced
SC34645806    

Fix information

  • Fixed component name

    CICSTS V3 Z/OS

  • Fixed component ID

    5655M1500

Applicable component levels

  • R40W PSY UK41028

       UP08/12/02 P F812

  • R50W PSY UK41029

       UP08/12/02 P F812

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.1","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
15 December 2009