A fix is available
APAR status
Closed as program error.
Error description
Replaced an existing expired certificate with a new certificate that had a LABEL name that was different than the original. As a result. the region crashed with an ABENDS878. This occurred because the pipeline definitions were not updated to point to the new LABEL name on the new certificate. You can see the following pattern of storage in subpool 229/key 0 storage that points to the same exact certificate data over and over. . DQE: Addr 00982000 Size 2000 FQE: Addr 00982000 Size 730 DQE: Addr 00984000 Size 2000 FQE: Addr 00984000 Size 730 DQE: Addr 00986000 Size 2000 FQE: Addr 00986000 Size 730 DQE: Addr 00988000 Size 2000 FQE: Addr 00988000 Size 730 . The problem is that WS-Security code uses IRRSDL00 to extract the certificate and private key. If the certificate data is not valid an exception is thrown and the routine is left without cleaning up the resources used by the IRRSDL00 call.
Local fix
Updating the appropriate pipeline definitions to point to the correct label name and reinstalling the definitions stops the call from failing and the region from crashing with the ABENDS878. . Additional Symptom(s) Search Keyword(s): KIXREVDAM ABEND878 SOS short on storage sp
Problem summary
**************************************************************** * USERS AFFECTED: All CICS users. * **************************************************************** * PROBLEM DESCRIPTION: Using WS-Security to extract invalid * * certificate and private key data * * results in an ABENDS878 in subpool * * 229 Key 0 storage. * **************************************************************** * RECOMMENDATION: * **************************************************************** An existing expired certificate is replaced with a new certificate that has a LABEL name that is different to the original. However the corresponding pipeline definitions are not updated to point to the new LABEL name on the new certificate. The WS-Security code calls the IRRSDL00 service of the external security manager ESM to extract the certificate and private key. WS-Security finds that the certificate is not valid and throws an exception. . XSECException::InvalidSecurityToken "XSECKeyInfoResolverZos::resolvePrivateKey - Certificate is not valid" . However the storage used by the IRRSDL00 call is not freed by the exception routine, and repeated failing calls exhaust the key0 storage in subpool 229 resulting in the reported cics region crash and ABENDS878 because the ESM is unable to obtain the required storage. . Additional keywords: S878 878
Problem conclusion
CICS WS-Security has been changed for the reported problem so that the exception routine makes an additional IRRSDL00 call to the ESM to free the temporary storage used by the initial IRRSDL00 call.
Temporary fix
FIX AVAILABLE BY PTF ONLY
Comments
APAR Information
APAR number
PM88778
Reported component name
CICS TS Z/OS V5
Reported component ID
5655Y0400
Reported release
800
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2013-05-10
Closed date
2013-05-20
Last modified date
2015-03-04
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UK94548
Modules/Macros
DFHWS002 DFHWS003 DFHWS004 DFHWS005 DFHWS006 DFHWS007 DFHWS008 DFHWS009 DFHWS010 DFHWS011 DFHWS012 DFHWS013 DFHWS014 DFHWS015 DFHWS016 DFHWS017 DFHWS018 DFHWS019 DFHWS020 DFHWS021 DFHWS022 DFHWS023 DFHWS024 DFHWS025 DFHWS026 DFHWS027 DFHWS028 DFHWS029 DFHWS030 DFHWS031 DFHWS032 DFHWS033 DFHWS034 DFHWS035 DFHWS036 DFHWS037 DFHWS038 DFHWS039 DFHWS040 DFHWS041 DFHWS042 DFHWS043 DFHWS044 DFHWS045 DFHWS046 DFHWS047 DFHWS048 DFHWS049 DFHWS050 DFHWS051 DFHWS052 DFHWS053 DFHWS054 DFHWS055 DFHWS056 DFHWS057 DFHWS058 DFHWS059 DFHWS060 DFHWS061 DFHWS062 DFHWS064 DFHWS065 DFHWS066 DFHWS068 DFHWS069 DFHWS070 DFHWS071 DFHWS072 DFHWS073 DFHWS074 DFHWS075 DFHWS076 DFHWS077 DFHWS078 DFHWS079 DFHWS081 DFHWS082 DFHWS083 DFHWS084 DFHWS085 DFHWS086 DFHWS087 DFHWS088 DFHWS089 DFHWS090 DFHWS091 DFHWS092 DFHWS122 DFHWS123 DFHWSSE1
Fix information
Fixed component name
CICS TS Z/OS V5
Fixed component ID
5655Y0400
Applicable component levels
R80W PSY UK94548
UP13/06/01 P F305
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.1","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
04 March 2015