PM33787: CSIV2 "SSL REQUIRED" AND "CLIENT CERTIFICATE AUTHENTICATION REQUIRED" NOT EFFECTIVE FOR LOCAL CLIENT ON Z/OS

Fixes are available

APAR status

Closed as program error.

Error description

When a z/OS thin Client or Application Client invokes sends an
RMI request to a Server running on the same system (LPAR), then
the server side CSIv2 Inbound Authentication: "Client
Certificate Authentication Required" and
CSIv2 Inbound Transport: "SSL Required" setting cannot be
enforced.

Even if the SSL handshake over TCPIP fails the RMI request
will execute successfuly by going over LocalCOMM.

Local fix

Problem summary

****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server V6.1.0 and higher on Z/OS            *
****************************************************************
* PROBLEM DESCRIPTION: LocalComm used for RMI connections      *
*                      when SSL required.                      *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
The problem is that we were not honoring CSIv2 settings where
Transport level SSL was atleast supported on client or server
side when required on the other. When this is the case,
localComm should not be used, and SSL should be used instead.

Problem conclusion

In order to use this APAR you must set the following
jvm property to true on the client side of your communication.

DISABLE_LOCAL_COMM_WHEN_SSL_REQUIRED=true


Then on server side set the following:

CSIv2 Inbound transport: SSL-supported (client needs to require)

or

CSIv2 Inbound transport: SSL-required (client needs to support
or require)

----------------------------------------------------------

And on client side (in sas.client.props)


com.ibm.CORBA.loginSource=none  (necessary no matter what)

com.ibm.CSI.performTransportAssocSSLTLSRequired=true  (server
needs to support or require)

or

com.ibm.CSI.performTransportAssocSSLTLSSupported=true (server
needs to require)


or in WebSphere server (if server is acting as client):

CSIv2 Outbound transport: SSL-supported (receiving server
needs to require)

or

CSIv2 Outbound transport: SSL-required (receiving server needs
to support or require)


localComm will not be used if client or server atleast supports
SSL and other side requires it. If this condition is not met
localComm will be used.

APAR PM33787 requires changes to documentation.

NOTE: Periodically, we refresh the documentation on our
Web site, so the changes might have been made before you
read this text. To access the latest on-line
documentation, go to the product library page at:

http://www.ibm.com/software/webservers/appserv/library

The following changes to the z/OS version of the WebSphere
Application Server Version 6.1 Information Center will be
made available in November, 2011.

The topic "Java virtual machine custom properties" will
be updated to include the following description of the new
DISABLE_LOCAL_COMM_WHEN_SSL_REQUIRED JVM custom property:

DISABLE_LOCAL_COMM_WHEN_SSL_REQUIRED

Specifies whether localComm or SSL should be used when
transport level SSL is supported on the client or server
side, and is required on the other side.

localComm should not be used when transport level SSL is
supported on the client or server side, and is required on
the other side. In this situation, you should set this custom
property to true to ensure that SSL is used instead of
localComm.

The default value for this property is false, which means
that localComm is used.

If you decide to use this custom property, you must specify
it as an application server JVM custom property.

When you specify this property for an application server:

- The CSIv2 Inbound transport setting must be set to
SSL-supported, or SSL-required. See the topic Configuring
inbound transports for more information about these settings.

- On the client side, the com.ibm.CORBA.loginSource property
in the sas.client.props file must be set to none.
- One of the following settings must be inplace on the client
side:
com.ibm.CSI.performTransportAssocSSLTLSRequired=true
com.ibm.CSI.performTransportAssocSSLTLSSupported=true

Or, if a WebSphere server is acting as the client, the CSIv2
Inbound transport setting must be set to SSL-supported, or
SSL-required on this server.

APAR PM33787 is currently targeted for inclusion in Service
Level (Fix Pack) 6.1.0.41 of WebSphere Application Server V6.1.
and Fix Pack 8.0.0.2 of WebSphere Application Server V8.0.

Sysroute APAR PM43750 will be used to deliver this fix in
WebSphere Application Server V7.0.

Please refer to URL:
//www.ibm.com/support/docview.wss?rs=404&uid=swg27006970
for Fix Pack availability.

Temporary fix

Comments

APAR Information

APAR number
PM33787
Reported component name
WEBSPHERE FOR Z
Reported component ID
5655I3500
Reported release
610
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2011-02-28
Closed date
2011-07-14
Last modified date
2011-12-02

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

PM43750

Fix information

Fixed component name
WEBSPHERE FOR Z
Fixed component ID
5655I3500

Applicable component levels

R610 PSY UK73054
UP11/11/03 P F111

Fix is available

Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
27 October 2021

Tips

PM33787: CSIV2 "SSL REQUIRED" AND "CLIENT CERTIFICATE AUTHENTICATION REQUIRED" NOT EFFECTIVE FOR LOCAL CLIENT ON Z/OS

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R610 PSY UK73054

Fix is available

Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

Document Information

Share your feedback

Need support?