A fix is available
APAR status
Closed as unreproducible in next release.
Error description
IKE address space is abending after receiving a replay message after a previous PKCS#7 certificate has been received and processed by z/OS IKED. During Phase 1 SA creation a series of ISAKMP messages are sent back and forth between two IKE peers. During this message flow, the remote peer had sent a PKCS#7 encoded certificate to the z/OS IKE address space and was processed sucessfully. The Phase 1 SA was created, but some time later the remote IKE peer sends a replay message (an ISAKMP payload that had previously been received and processed) the IKE on z/OS is dropping the replay message but incorrectly freeing storage that was used by another Phase 1 SA, thus causing the unpredictable abends.
Local fix
none addtional symptoms: various random abend0c1, abend0c4, abendU3000 or abendu2000 abends. One or more of the following abends may be experienced: 0C6 isakmp_phaseII_sa::process_msg(isakmp_buf*) 0C4 inet_OAKLEY_quickmode::~inet_OAKLEY_quickmode() 0C4 isakmp_phaseII_sa::~isakmp_phaseII_sa() 0C4 sa_addr::get_addr_port_stringset 0C4 isakmp_sa::phase1_process_SA_reply(isakmp_buf*,isakmp_buf**) 0C1 isakmp_sa::find_phaseIIsa_by_msgid 0C4 inet_OAKLEY_base::computeSKEYIDdae() 0C4 SHA_Update 0C4 isakmp_base_sa::sa_retrans_msg(isakmp_base_sa::retrans_queue
Problem summary
**************************************************************** * USERS AFFECTED: All users of the IBM Communications Server * * for z/OS Version 1 Release(s) 9, 10, 11, * * and 12 IP: IPSECURITY. * **************************************************************** * PROBLEM DESCRIPTION: A retransmission of a PKCS#7 encoded * * certificate caused storage to be * * freed while it was still in use, * * leading to various abends. * **************************************************************** * RECOMMENDATION: * **************************************************************** The problem may be summarized as follows: 1. A PKCS#7 encoded certificate is transmitted to IKED. 2. Storage is obtained for the certificate. 3. The certificate is re-transmitted to IKED. (replay) 4. The storage is freed, but a pointer to it is not cleared. 5. The storage is re-used as another type of control block. 6. The certificate is re-transmitted to IKED once again. 7. The storage is freed again because the pointer still points to it. 8. The storage is re-used as another type of control block. 9. When the second user of the storage tries to reference the storage, which has been reused, various abends occur (the type of abend depends upon the type of control blocks involved). A loop may also occur. +-------------------------------------------------------------+ + Please check our Communications Server for OS/390 homepages + + for common networking tips and fixes. The URL for these + + homepages can be found in Informational APAR II11334. + +-------------------------------------------------------------+
Problem conclusion
Temporary fix
********* * HIPER * *********
Comments
EZAIKOKK (restorePayloadPtrs) had been updated to ensure the certificate storage is not pointed to once it is freed.
APAR Information
APAR number
PM15480
Reported component name
TCP/IP V3 MVS
Reported component ID
5655HAL00
Reported release
190
Status
CLOSED UR1
PE
NoPE
HIPER
YesHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2010-05-27
Closed date
2010-06-08
Last modified date
2010-08-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UK57785 UK57786 UK57787 UK57788
Modules/Macros
EZAIKOKI EZAIKOKK
Fix information
Fixed component name
TCP/IP V3 MVS
Fixed component ID
5655HAL00
Applicable component levels
R1A0 PSY UK57785
UP10/07/14 P F007
R1B0 PSY UK57786
UP10/07/14 P F007
R1C0 PSY UK57787
UP10/07/14 P F007
R199 PSY UK57788
UP10/07/14 P F007
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"190","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSCY4DZ","label":"DO NOT USE"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"190","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
02 August 2010