IBM Support

PM58292: IKED STORAGE LEAK CAUSES IKED TO FAIL AFTER LOAD OF GSKSSL FAILS

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as unreproducible in next release.

Error description

  • IKED is not freeing storage.  LE Heap storage will continue to
    grow.  Eventually, a load of the GSKSSL DLL will fail with
    messages:
    IEW4000I FETCH FOR MODULE GSKSSL   FROM DDNAME -LNKLST- FAILED
    BECAUSE INSUFFICIENT STORAGE WAS AVAILABLE.
    CSV031I LIBRARY ACCESS FAILED FOR MODULE GSKSSL  , RETURN CODE
    14, REASON CODE 26110021, DDNAME *LNKLST*
    .
    IKED will issue an abend:
    DUMP Title=IKED  Code UCEE3503 Cert390::Cert390
    .
    CEE3503S indicates a load request was unsuccessful.
    A review of the dump will show large amounts of storage
    allocated in subpool 2 key 8.  The eyecatchers will be HANC,
    indicating the storage was obtained by LE for heap storage.
    .
    Running IP VERBX LEDATA 'HEAP' will show the allocated heap
    segments.  The heap will have large number of CN=xxxx where xxx
    is the name from the certificates used by IKED.  There will also
    be copies of the certificate allocated but with ASCII
    characters.
    .
    ADDITIONAL KEYWORDS:
    SP2K8
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All users of the IBM Communications Server   *
    *                 for z/OS Version 1 Release(s) 12, and 13     *
    *                 IP: IPSecurity                               *
    ****************************************************************
    * PROBLEM DESCRIPTION: Storage leak causes IKE to issue        *
    *                      abend106. The storage leak was due to   *
    *                      certification ID storage was not being  *
    *                      released.                               *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    During security association (SA) negotiation between two IKE
    partners, storage that was obtained for a certificate ID was not
    being released after the SA failed. The certificate ID was
    X500DN and the object that was instantiated to perform ID
    authentication was never deleted leading to the storage
    leak.
    +-------------------------------------------------------------+
    + Please check our Communications Server for OS/390 homepages +
    + for common networking tips and fixes.  The URL for these    +
    + homepages can be found in Informational APAR II11334.       +
    +-------------------------------------------------------------+
    

Problem conclusion

Temporary fix

  • *********
    * HIPER *
    *********
    

Comments

  • EZAIKPKI has been changed to delete storage allocated for
    certificate ID.
    PKIBASE class has been changed and all dependency parts have
    been included for recompile.
    Fix is a rollback from D153905.
    

APAR Information

  • APAR number

    PM58292

  • Reported component name

    TCP/IP V3 MVS

  • Reported component ID

    5655HAL00

  • Reported release

    1C0

  • Status

    CLOSED UR1

  • PE

    NoPE

  • HIPER

    YesHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-02-15

  • Closed date

    2012-03-13

  • Last modified date

    2012-05-02

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UK77142 UK77143

Modules/Macros

  • EZAIKA@U EZAIKABL EZAIKALF EZAIKAMF EZAIKANC
    EZAIKCCA EZAIKDOI EZAIKE@L EZAIKE@M EZAIKENV EZAIKFIN EZAIKGEN
    EZAIKGNK EZAIKIDO EZAIKIKL EZAIKIMA EZAIKINF EZAIKISB EZAIKLAY
    EZAIKMAT EZAIKMSG EZAIKOKI EZAIKOKK EZAIKOKL EZAIKOKM EZAIKOKP
    EZAIKPAR EZAIKPII EZAIKPKI EZAIKPKR EZAIKPKS EZAIKPOL EZAIKPRE
    EZAIKPRK EZAIKPUB EZAIKP1  EZAIKREG EZAIKRET EZAIKSA  EZAIKSKM
    EZAIKSMD EZAIKSMH PKIBASE
    

Fix information

  • Fixed component name

    TCP/IP V3 MVS

  • Fixed component ID

    5655HAL00

Applicable component levels

  • R1C0 PSY UK77142

       UP12/04/24 P F204

  • R1D0 PSY UK77143

       UP12/04/24 P F204

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1C0","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSCY4DZ","label":"DO NOT USE"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1C0","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
02 May 2012