PM72266: CERITIFICATE USERID VALUE NOT PASSED TO CICS SOCKETS SECURITY EXIT USING AT-TLS

A fix is available

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • The CICS socket interface is configured for AT-TLS and the
    GETTID yes options is coded, and the customer has a security
    exit in place. This causes the CICS sockets Listener to try to
    obtain the security ceritificate and extract the USERID
    associated with it. The Listener then passes the USERID to the
    user written security exit, this is not occurring. The security
    exit gets control with a zero USERID at offset 68 in the
    security exit commarea.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All users of the IBM Communications Server   *
    *                 for z/OS Version 1 Release(s) 12 and 13 IP:  *
    *                 CICS sockets with AT-TLS                     *
    ****************************************************************
    * PROBLEM DESCRIPTION: CICS sockets listener fails to pass the *
    *                      AT-TLS certificate userid to the user   *
    *                      defined security exit.                  *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    CICS sockets listener fails to pass the AT-TLS certificate
    USERID to the user defined security exit.
    
    The CICS sockets interface is configured to retrieve the AT-TLS
    USERID associated with the certificate (GETTID=YES).  A security
    exit is defined (SECEXIT=name) and gets control for every new
    connection processed by the listener.  The USERID value being
    passed to the security exit (EZACIC_USERID) is null.  The
    certificate length (EZACIC_CERTIFICATE_LENGTH) and certificate
    address (EZACIC_CERTIFICATE_ADDRESS) are zero.
    +-------------------------------------------------------------+
    + Please check our Communications Server for OS/390 homepages +
    + for common networking tips and fixes.  The URL for these    +
    + homepages can be found in Informational APAR II11334.       +
    +-------------------------------------------------------------+
    

Problem conclusion

  • The IBM CICS listener program, EZACIC02, has been amended to
    pass the USERID, certificate length, and certificate address
    when available and GETTID=YES is configured.
    
    * Cross Reference between External and Internal Names
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM72266

  • Reported component name

    TCP/IP V3 MVS

  • Reported component ID

    5655HAL00

  • Reported release

    1C0

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-09-05

  • Closed date

    2012-11-15

  • Last modified date

    2013-02-04

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UK83555 UK83556

Modules/Macros

  • EZACIC02
    

Fix information

  • Fixed component name

    TCP/IP V3 MVS

  • Fixed component ID

    5655HAL00

Applicable component levels

  • R1C0 PSY UK83555

       UP13/02/01 P F301

  • R1D0 PSY UK83556

       UP13/02/01 P F301

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

z/OS family

Software version:

1C0

Operating system(s):

z/OS

Reference #:

PM72266

Modified date:

2013-02-04

Translate my page

Machine Translation

Content navigation