IBM Support

PI47342: EZD1008I 0368 SYSTEM SSL CMS CALL "COPY_DECODED_CERT_EXTENSION" FAILURE: 00000001 HANDLE IS NOT VALID AFTER P1M5 IS RECEIVED

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Phase 1 Security association fails to be created with messages :
    
    EZD1008I 0368 System SSL CMS call "copy_decoded_cert_extension"
    failure
    : 00000001 Handle is not valid
    EZD0963I Internal Error 0799 - unable to obtain memory of size
    752
    EZD0984I IKE function 0A27 - doi->GetCertByID() failed : 0 | 0 |
    EZD0984I IKE function 0A38 - getMyKeyPairByAlg() failed : 0 | 0
    EZD0984I IKE function 1A49 - getMyKeyPair() failed : 0 | 0 |
    EZD0984I IKE function 0A7C - kep->process_msg() failed : -2 | 0
    EZD0984I IKE function 0AC6 - process_phase1_msg() failed : 0 | 0
    EZD0984I IKE function 0824 -
    isakmp_anchor::msg_handler(IKEBuffer *,
    sa_addr &, sa_addr &, stackObj *) failed : 409 | -1 |
    process_msg
    
    The cause of the failure is related to the LOCAL IKE
    certificate that is being read from the IKE keyRing cert cache.
    The ceritficate was defined with subjectaltnames set with
    othername:OID instead of IP address, FQDN, etc.....
    
    
    Additional Symptom(s) Search Keyword(s): subject altnames OID
    
    SYSTCPIK component trace collected during the failure shows the
    following trace record:
    Unknown subjectAltName type 7 found; no copy done
    

Local fix

  • create IKE certificate using subjectname of IPaddress, FQDN,
    etc instead of OID values
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All users of the IBM Communications          *
    *                 Server for z/OS Version 1 Release 13         *
    *                 IKED server's local certificate              *
    *                 services.                                    *
    ****************************************************************
    * PROBLEM DESCRIPTION: A phase 1 SA negotiation failed.        *
    *                      IKED wrote the following message        *
    *                      to syslog: EZD1008I                     *
    *                      0368 System SSL CMS call                *
    *                      "copy_decoded_cert_extension"           *
    *                      failure : 00000001 Handle is not        *
    *                      valid.                                  *
    ****************************************************************
    * RECOMMENDATION: Apply PTF.                                   *
    ****************************************************************
    The phase 1 negotiation failed because the certifcate used
    to authenticate the local security endpoint contained a
    subjectAltName type that IKED did not recognize.
    +-------------------------------------------------------------+
    + Please check our Communications Server for OS/390 homepages +
    + for common networking tips and fixes.  The URL for these    +
    + homepages can be found in Informational APAR II11334.       +
    +-------------------------------------------------------------+
    

Problem conclusion

  • IKED's local certifcate processing is updated to ignore
    unrecognized subjectAltName types.
    
    * Cross Reference between External and Internal Names
    EZAIKAUT (ASN@UTIL)  EZAIKFIN (FW@INITT)  EZAIKPKI (PKI390  )
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI47342

  • Reported component name

    TCP/IP V3 MVS

  • Reported component ID

    5655HAL00

  • Reported release

    1D0

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2015-08-21

  • Closed date

    2015-09-17

  • Last modified date

    2015-12-02

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UI31276 PI51556 PI51557

Modules/Macros

  • EZAIKAUT EZAIKFIN EZAIKPKI
    

Fix information

  • Fixed component name

    TCP/IP V3 MVS

  • Fixed component ID

    5655HAL00

Applicable component levels

  • R1D0 PSY UI31276

       UP15/11/21 P F511

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1D0","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSCY4DZ","label":"DO NOT USE"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1D0","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
02 December 2015