IBM Support

PM95656: DFHAM4889 E CICSCICS INSTALL OF URIMAP XXXXXX FAILED BECAUSE CERTIFICATE <CERTIFICATE NAME> IS INVALID.

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • A valid certificate has been imported into RACF and added to a
    keyring. When a URIMAP is installed using that certificate CICS
    rejects it with message DFHAM4889.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All CICS Users.                              *
    ****************************************************************
    * PROBLEM DESCRIPTION: Message "DFHAM4889 E Install of URIMAP  *
    *                      xxxxxx failed because CERTIFICATE       *
    *                      yyyyyy is invalid." incorrectly issued  *
    *                      by CICS.                                *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    A URIMAP resource definition has been defined specifying a
    CERTIFICATE.
    DFHWBUR processes the URIMAP and calls DFHXSCT for
    INQUIRE_CERTIFICATE. This validates the certificate with RACF
    and then searches through it to find the DER encoded
    distinguished name. Having found the name it then searches
    within this for the RDN (Relative Distinguished Name)
    subfields. The subfields are described by a universal tag
    which defines the type of subfield, followed by a length and
    then the value.
    DFHXSCT steps through the RDNs picking out the values that
    it requires. It is expecting the subfields name to be in the
    order of SET, SEQUENCE, OID, string value.
    However this certificate has two SEQUENCE subfields within
    a SET. This is valid, but DFHXSCT does not expect it and
    incorrectly rejects the certificate with an EXCEPTION
    response and a reason code of CERTIFICATE_INVALID.
    This results in msgDFHAM4889E being issued even though the
    certificate is valid.
    

Problem conclusion

  • DFHXSCT has been altered to loop through the SEQUENCE fields
    within a SET tag.
    

Temporary fix

  • FIX AVAILABLE BY PTF ONLY
    

Comments

APAR Information

  • APAR number

    PM95656

  • Reported component name

    CICS TS Z/OS V4

  • Reported component ID

    5655S9700

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-08-22

  • Closed date

    2013-12-13

  • Last modified date

    2014-01-02

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    PI07102 UI13695

Modules/Macros

  •    DFHXSCT
    

Fix information

  • Fixed component name

    CICS TS Z/OS V4

  • Fixed component ID

    5655S9700

Applicable component levels

  • R700 PSY UI13695

       UP13/12/28 P F312

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.2","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.2","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
02 January 2014