IBM Support

PM33787: CSIV2 "SSL REQUIRED" AND "CLIENT CERTIFICATE AUTHENTICATION REQUIRED" NOT EFFECTIVE FOR LOCAL CLIENT ON Z/OS

Fixes are available

7.0.0.19: WebSphere Application Server V7.0 Fix Pack 19
8.0.0.1: WebSphere Application Server V8.0 Fix Pack 1
7.0.0.21: WebSphere Application Server V7.0 Fix Pack 21
8.0.0.2: WebSphere Application Server V8.0 Fix Pack 2
8.0.0.3: WebSphere Application Server V8.0 Fix Pack 3
7.0.0.23: WebSphere Application Server V7.0 Fix Pack 23
8.0.0.4: WebSphere Application Server V8.0 Fix Pack 4
7.0.0.25: WebSphere Application Server V7.0 Fix Pack 25
8.0.0.5: WebSphere Application Server V8.0 Fix Pack 5
7.0.0.27: WebSphere Application Server V7.0 Fix Pack 27
8.0.0.6: WebSphere Application Server V8.0 Fix Pack 6
7.0.0.29: WebSphere Application Server V7.0 Fix Pack 29
8.0.0.7: WebSphere Application Server V8.0 Fix Pack 7
6.1.0.47: WebSphere Application Server V6.1 Fix Pack 47
8.0.0.8: WebSphere Application Server V8.0 Fix Pack 8
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31
7.0.0.27: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.33: WebSphere Application Server V7.0 Fix Pack 33
8.0.0.9: WebSphere Application Server V8.0 Fix Pack 9
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
6.1.0.41: Java SDK 1.5 SR12 FP5 Cumulative Fix for WebSphere Application Server
6.1.0.43: Java SDK 1.5 SR13 Cumulative Fix for WebSphere Application Server
6.1.0.45: Java SDK 1.5 SR14 Cumulative Fix for WebSphere Application Server
6.1.0.47: Java SDK 1.5 SR16 Cumulative Fix for WebSphere Application Server
7.0.0.19: Java SDK 1.6 SR9 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.21: Java SDK 1.6 SR9 FP2 Cumulative Fix for WebSphere
7.0.0.23: Java SDK 1.6 SR10 FP1 Cumulative Fix for WebSphere
7.0.0.25: Java SDK 1.6 SR11 Cumulative Fix for WebSphere Application Server
7.0.0.27: Java SDK 1.6 SR12 Cumulative Fix for WebSphere Application Server
7.0.0.29: Java SDK 1.6 SR13 FP2 Cumulative Fix for WebSphere Application Server
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • When a z/OS thin Client or Application Client invokes sends an
    RMI request to a Server running on the same system (LPAR), then
    the server side CSIv2 Inbound Authentication: "Client
    Certificate Authentication Required" and
    CSIv2 Inbound Transport: "SSL Required" setting cannot be
    enforced.
    
    Even if the SSL handshake over TCPIP fails the RMI request
    will execute successfuly by going over LocalCOMM.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server V6.1.0 and higher on Z/OS            *
    ****************************************************************
    * PROBLEM DESCRIPTION: LocalComm used for RMI connections      *
    *                      when SSL required.                      *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    The problem is that we were not honoring CSIv2 settings where
    Transport level SSL was atleast supported on client or server
    side when required on the other. When this is the case,
    localComm should not be used, and SSL should be used instead.
    

Problem conclusion

  • In order to use this APAR you must set the following
    jvm property to true on the client side of your communication.
    
    DISABLE_LOCAL_COMM_WHEN_SSL_REQUIRED=true
    
    
    Then on server side set the following:
    
    CSIv2 Inbound transport: SSL-supported (client needs to require)
    
    or
    
    CSIv2 Inbound transport: SSL-required (client needs to support
    or require)
    
    ----------------------------------------------------------
    
    And on client side (in sas.client.props)
    
    
    com.ibm.CORBA.loginSource=none  (necessary no matter what)
    
    com.ibm.CSI.performTransportAssocSSLTLSRequired=true  (server
    needs to support or require)
    
    or
    
    com.ibm.CSI.performTransportAssocSSLTLSSupported=true (server
    needs to require)
    
    
    or in WebSphere server (if server is acting as client):
    
    CSIv2 Outbound transport: SSL-supported (receiving server
    needs to require)
    
    or
    
    CSIv2 Outbound transport: SSL-required (receiving server needs
    to support or require)
    
    
    localComm will not be used if client or server atleast supports
    SSL and other side requires it. If this condition is not met
    localComm will be used.
    
    APAR PM33787 requires changes to documentation.
    
    NOTE: Periodically, we refresh the documentation on our
    Web site, so the changes might have been made before you
    read this text. To access the latest on-line
    documentation, go to the product library page at:
    
    http://www.ibm.com/software/webservers/appserv/library
    
    The following changes to the z/OS version of the WebSphere
    Application Server Version 6.1 Information Center will be
    made available in November, 2011.
    
    The topic "Java virtual machine custom properties" will
    be updated to include the following description of the new
    DISABLE_LOCAL_COMM_WHEN_SSL_REQUIRED JVM custom property:
    
    DISABLE_LOCAL_COMM_WHEN_SSL_REQUIRED
    
    Specifies whether localComm or SSL should be used when
    transport level SSL is supported on the client or server
    side, and is required on the other side.
    
    localComm should not be used when transport level SSL is
    supported on the client or server side, and is required on
    the other side. In this situation, you should set this custom
    property to true to ensure that SSL is used instead of
    localComm.
    
    The default value for this property is false, which means
    that localComm is used.
    
    If you decide to use this custom property, you must specify
    it as an application server JVM custom property.
    
    When you specify this property for an application server:
    
    - The CSIv2 Inbound transport setting must be set to
    SSL-supported, or SSL-required. See the topic Configuring
    inbound transports for more information about these settings.
    
    - On the client side, the com.ibm.CORBA.loginSource property
    in the sas.client.props file must be set to none.
    - One of the following settings must be inplace on the client
    side:
    com.ibm.CSI.performTransportAssocSSLTLSRequired=true
    com.ibm.CSI.performTransportAssocSSLTLSSupported=true
    
    Or, if a WebSphere server is acting as the client, the CSIv2
    Inbound transport setting must be set to SSL-supported, or
    SSL-required on this server.
    
    APAR PM33787 is currently targeted for inclusion in Service
    Level (Fix Pack) 6.1.0.41 of WebSphere Application Server V6.1.
    and Fix Pack 8.0.0.2 of WebSphere Application Server V8.0.
    
    Sysroute APAR PM43750 will be used to deliver this fix in
    WebSphere Application Server V7.0.
    
    Please refer to URL:
    //www.ibm.com/support/docview.wss?rs=404&uid=swg27006970
    for Fix Pack availability.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM33787

  • Reported component name

    WEBSPHERE FOR Z

  • Reported component ID

    5655I3500

  • Reported release

    610

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2011-02-28

  • Closed date

    2011-07-14

  • Last modified date

    2011-12-02

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    PM43750

Fix information

  • Fixed component name

    WEBSPHERE FOR Z

  • Fixed component ID

    5655I3500

Applicable component levels

  • R610 PSY UK73054

       UP11/11/03 P F111

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.



Document information

More support for: WebSphere Application Server for z/OS
General

Software version: 6.1

Reference #: PM33787

Modified date: 02 December 2011