PM72266: CERITIFICATE USERID VALUE NOT PASSED TO CICS SOCKETS SECURITY EXIT USING AT-TLS

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• The CICS socket interface is configured for AT-TLS and the
  GETTID yes options is coded, and the customer has a security
  exit in place. This causes the CICS sockets Listener to try to
  obtain the security ceritificate and extract the USERID
  associated with it. The Listener then passes the USERID to the
  user written security exit, this is not occurring. The security
  exit gets control with a zero USERID at offset 68 in the
  security exit commarea.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All users of the IBM Communications Server   *
  *                 for z/OS Version 1 Release(s) 12 and 13 IP:  *
  *                 CICS sockets with AT-TLS                     *
  ****************************************************************
  * PROBLEM DESCRIPTION: CICS sockets listener fails to pass the *
  *                      AT-TLS certificate userid to the user   *
  *                      defined security exit.                  *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  CICS sockets listener fails to pass the AT-TLS certificate
  USERID to the user defined security exit.
  
  The CICS sockets interface is configured to retrieve the AT-TLS
  USERID associated with the certificate (GETTID=YES).  A security
  exit is defined (SECEXIT=name) and gets control for every new
  connection processed by the listener.  The USERID value being
  passed to the security exit (EZACIC_USERID) is null.  The
  certificate length (EZACIC_CERTIFICATE_LENGTH) and certificate
  address (EZACIC_CERTIFICATE_ADDRESS) are zero.
  +-------------------------------------------------------------+
  + Please check our Communications Server for OS/390 homepages +
  + for common networking tips and fixes.  The URL for these    +
  + homepages can be found in Informational APAR II11334.       +
  +-------------------------------------------------------------+
  

Problem conclusion

• The IBM CICS listener program, EZACIC02, has been amended to
  pass the USERID, certificate length, and certificate address
  when available and GETTID=YES is configured.
  
  * Cross Reference between External and Internal Names
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UK83555 UK83556

Modules/Macros

•    EZACIC02
  

Fix information

• Fixed component name

  TCP/IP V3 MVS

• Fixed component ID

  5655HAL00

Applicable component levels

• R1C0 PSY UK83555

     UP13/02/01 P F301

• R1D0 PSY UK83556

     UP13/02/01 P F301

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.