A fix is available
APAR status
Closed as program error.
Error description
When a WUI Server initializes, CPSM automatically creates and installs a TCPIPSERVICE definition based on parameters specified in the EYUWUI DD input. There are parameters to allow the user to specify what the host, whether SSL is to be used, and what port: . TCPIPHOSTNAME TCPIPSSL TCPIPPORT . However, if SSL is enabled, the TCPIPService definition gets created with a Cipher Suite based on the value of the ENCRYPTION SIT parameter (STRONG, MEDIUM, or WEAK.) . If a specific set of ciphers is needed, in a specific order, there is no current method for the user to specify those values. . Additional Symptom(s) Search Keyword(s): KIXREVRBD
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All CICSPlex SM V3R2M0 Users. * **************************************************************** * PROBLEM DESCRIPTION: - The CICSPlex SM Web User Interface * * (WUI) server cannot be configured to * * specify the minimum set of SSL cipher * * suites supported for SSL based * * communications. * * * * - Message : * * * * EYUVS0105E <applid> INVALID RECORD IN * * PARAMETER DATASET. * * * * will be produced by the WUI when a * * parameter value is specified that is * * greater than 32 and less than 45 * * bytes in length. * **************************************************************** * RECOMMENDATION: After applying the PTF that resolves this * * APAR, all Web User Interface servers must * * be recycled to pick up the new code. Note * * that the restarts do not need to be done at * * the same time. * **************************************************************** - The CICSPlex SM WUI automatically generates the CICS TCPIPSERVICE definition that is used for the server based on various TCPIP related WUI server initialization parameters. As the TCPIPSERVICE CIPHERS attribute does not have an equivalent WUI server initialization parameter the TCPIPSERVICE CIPHERS attribute will always default to a value based on the ENCRYPTION SIT parameter used by the WUI server. This means that customers cannot remove / reorder the cipher suites that are used as part of the SSL negotiation between the WUI server and the web browser. - When the CICSPlex SM WUI parameter service was changed to allow 44 byte parameter values (principally for TCPIPHOSTNAME and AUTOIMPORTDSN) some of the length validation was not updated, which causes a parameter validation failure that causes message EYUVS0105E to be issued.
Problem conclusion
- EYU0VSPI (VSPI - WUI Parameter Service) has been changed to define a new WUI server initialization parameter called TCPIPSSLCIPHERS. This optional parameter accepts up to 44 hexadecimal digits that will be interpreted by CICS as a list of up to 22 2-digit cipher suite codes. Note that although CICS supports up to 28 2-digit cipher suite codes in equivalent CIPHERS attributes, the TCPIPSSLCIPHERS parameter is limited to 22 2-digit codes, due to a parameter value length restriction in the WUI. EYU0VWXI (VWXI - WUI CWI control) has been changed to retrieve the value of the TCPIPSSLCIPHERS parameter if the TCPIPSSL parameter is set to YES. If TCPIPSSLCIPHERS is specified, any value will be passed into the CIPHERS attribute of the TCPIPSERVICE that is subsequently created. - Length validation logic in VSPI and VWXI have been updated to allow for 44 byte parameter values.
Temporary fix
FIX AVAILABLE BY PTF ONLY
Comments
APAR Information
APAR number
PK87334
Reported component name
CICSTS V3 Z/OS
Reported component ID
5655M1500
Reported release
50M
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2009-05-26
Closed date
2009-06-12
Last modified date
2009-07-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
PK87387 UK47388
Modules/Macros
DYU0VSPM DYU0VWXL EYU0DVWI EYU0VSPI EYU0VSPL EYU0VWXI EYU7VSP7
SC34683500 | GC34681201 |
Fix information
Fixed component name
CICSTS V3 Z/OS
Fixed component ID
5655M1500
Applicable component levels
R50M PSY UK47388
UP09/06/17 P F906
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.2","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.2","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
01 July 2009