IBM Support

PM15480: VARIOUS ABENDS IN IKED

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as unreproducible in next release.

Error description

  • IKE address space is abending after receiving a replay message
after a previous PKCS#7 certificate has been received and
processed by z/OS IKED. During Phase 1 SA creation a series of
ISAKMP messages are sent back and forth between two IKE peers.
During this message flow, the remote peer had sent a PKCS#7
encoded certificate to the z/OS IKE address space and was
processed sucessfully. The Phase 1 SA was created, but some time
later the remote IKE peer sends a replay message (an ISAKMP
payload that had previously been received and processed) the IKE
on z/OS is dropping the replay message but incorrectly freeing
storage that was used by another Phase 1 SA, thus causing the
unpredictable abends.

Local fix

  • none

addtional symptoms:

various random abend0c1, abend0c4, abendU3000 or abendu2000
abends.

One or more of the following abends may be experienced:
0C6 isakmp_phaseII_sa::process_msg(isakmp_buf*)
0C4 inet_OAKLEY_quickmode::~inet_OAKLEY_quickmode()
0C4 isakmp_phaseII_sa::~isakmp_phaseII_sa()
0C4 sa_addr::get_addr_port_stringset
0C4 isakmp_sa::phase1_process_SA_reply(isakmp_buf*,isakmp_buf**)
0C1 isakmp_sa::find_phaseIIsa_by_msgid
0C4 inet_OAKLEY_base::computeSKEYIDdae()
0C4 SHA_Update
0C4 isakmp_base_sa::sa_retrans_msg(isakmp_base_sa::retrans_queue

Problem summary

  • ****************************************************************
* USERS AFFECTED: All users of the IBM Communications Server   *
*                 for z/OS Version 1 Release(s) 9, 10, 11,     *
*                 and 12 IP: IPSECURITY.                       *
****************************************************************
* PROBLEM DESCRIPTION: A retransmission of a PKCS#7 encoded    *
*                      certificate caused storage to be        *
*                      freed while it was still in use,        *
*                      leading to various abends.              *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
The problem may be summarized as follows:
1. A PKCS#7 encoded certificate is transmitted to IKED.
2. Storage is obtained for the certificate.
3. The certificate is re-transmitted to IKED. (replay)
4. The storage is freed, but a pointer to it is not cleared.
5. The storage is re-used as another type of control block.
6. The certificate is re-transmitted to IKED once again.
7. The storage is freed again because the pointer still
   points to it.
8. The storage is re-used as another type of control block.
9. When the second user of the storage tries to reference
   the storage, which has been reused, various abends
   occur (the type of abend depends upon the type of
   control blocks involved).  A loop may also occur.
+-------------------------------------------------------------+
+ Please check our Communications Server for OS/390 homepages +
+ for common networking tips and fixes.  The URL for these    +
+ homepages can be found in Informational APAR II11334.       +
+-------------------------------------------------------------+

Problem conclusion

  • 



Temporary fix


    

  • *********
* HIPER *
*********

    



Comments


    

  • EZAIKOKK (restorePayloadPtrs) had been updated to ensure
the certificate storage is not pointed to once it is freed.

    



APAR Information




    

  • APAR number
    PM15480
    • 

  • Reported component name
    TCP/IP V3 MVS
    • 

  • Reported component ID
    5655HAL00
    • 

  • Reported release
    190
    • 

  • Status
    CLOSED  UR1
    • 

  • PE
    NoPE
    • 

  • HIPER
    YesHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2010-05-27
    • 

  • Closed date
    2010-06-08
    • 

  • Last modified date
    2010-08-02
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UK57785 UK57786 UK57787 UK57788
    

    • 



Modules/Macros


    

  • EZAIKOKI EZAIKOKK

    



Fix information


    

  • Fixed component name
    TCP/IP V3 MVS
    • 

  • Fixed component ID
    5655HAL00
    • 



Applicable component levels


    

  • R1A0  PSY  UK57785
       UP10/07/14  P  F007  Ž
    • 

  • R1B0  PSY  UK57786
       UP10/07/14  P  F007  Ž
    • 

  • R1C0  PSY  UK57787
       UP10/07/14  P  F007  Ž
    • 

  • R199  PSY  UK57788
       UP10/07/14  P  F007  Ž
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"190","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSCY4DZ","label":"DO NOT USE"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"190","Edition":"","Line of Business":{"code":"","label":""}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            02 August 2010
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback