IBM Support

PI18375: RECEIVING DFHSO0123 RETURN CODE 433, DFHWB0732 SOCKET I/O ERROR WHILE RECEIVING CLIENT REQUEST, AND DFHSO0002 X'080C'.

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • There is an attack on the region's TCPIPSERVICE causing a flood
    of messages and a system dump to occur.
    .
    The following messages appear in the CICS Log:
    .
    DFHSO0123 03/08/2014 01:21:45 CICSREGN Return code 433
    received from function 'gsk_secure_socket_init'
    of System SSL.  Reason:  Unrecognized return code.
    Peer: 111.22.111.22, TCPIPSERVICE: YOURSRVC.
    DFHWB0732 03/08/2014 01:21:49 CICSREGN CWXN CICS Web attach
    processing encountered a sockets I/O error while
    receiving a client request. Host IP address:
    222.11.222.11.  Client IP address: 111.22.111.22.
    TCPIPSERVICE: YOURSRVC
    .
    DFHSO0002 CICSREGN A severe error (code X'080C') has
    occurred in module DFHSOSE.
    .
    Need to prevent the DFHSO0002 dump from being produced and
    and a more useful description of the return code 433.
    .
    You will see the following Trace Entry for this error:
    .
    SO 080C SOSE  *EXC* - SYSTEM_SSL_ERROR GSK_RESPONSE
                          (GSK_ERR_EXPORT_RESTRICTION)
                           FUNCTION(SECURE_SOC_INIT)
                           RESPONSE(DISASTER)
                           REASON(GSK_ERROR)
                           GSK_RETURN_CODE(1B1) "Dec 433"
                           CERTIFICATE_USERID()
                           CIPHER_SELECTED()
    .
    GSK_RETURN_CODE(1B1) means:
    - The above error is x'1B1' ( 433 dec ) which is:
      - Key exceeds allowable export size.
      - Explanation:  The key size used for an export cipher
        suite exceeds the allowable maximum size.  For RSA
        and DSA keys, the maximum export key size is 512 bits.
        If the certificate key is larger than 512 bits, the
        SSL runtime will use a temporary 512-bit key for the
        connection.
    Additional Symptom(s) Search Keyword(s): KIXREVDAM
    RC433 MSGDFHSO0123 MSGDFHWB0732 MSGDFHSO0002
    

Local fix

  • n/a
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All CICS users.                              *
    ****************************************************************
    * PROBLEM DESCRIPTION: DFHSO0002 is issued when SSL fails with *
    *                      GSK_ERR_EXPORT_RESTRICTION (response    *
    *                      code 433).                              *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    CICS is setup with SSL. A client connects to CICS and a secure
    socket connection is initialized. If the key size used for an
    export cipher suite exceeds the allowable maximum size, the
    socket initialization will fail with gsk response code 433.
    CICS treats the 433 as an unrecognized return code and issues
    message DFHSO0123 to report the error code. In addition,
    DFHSO0002 is issued and a system dump is taken.
    
    The response code 433 should be treated as an client side error,
    the DFHSO0002 and the system dump is unnecessary for this type
    of error.
    
    Additional Keywords: msgDFHSO0123  SO0123  msgDFHSO0002  SO0002
    

Problem conclusion

  • DFHSOSE has been changed to issue message DFHSO1023 with the
    correct description, when gsk returns response code 433. The
    DFHSO0002 is not issued and a system dump is not taken.
    
    
    CICS Transaction Server for z/OS Version 5 Release 1
    CICS Messages and Codes Vol 2, GC34-2862-00 has
    amended the description of message DFHSO0123.
    
    Change the line "44=Bad message length" to
    "44=Bad message length, 46=Export restriction".
    Change the line "Bad message length}." to
    "Bad message length | Export restriction}.".
    
    
    CICS Transaction Server for z/OS Version 5 Release 2
    CICS Messages and Codes Vol 2, GC34-7284-00 has
    amended the description of message DFHSO0123.
    
    Change the line "45=Cryptographic error detected" to
    "45=Cryptographic error detected, 46=Export restriction".
    Change the line "Cryptographic error detected}." to
    "Cryptographic error detected | Export restriction}.".
    

Temporary fix

  • FIX AVAILABLE BY PTF ONLY
    

Comments

APAR Information

  • APAR number

    PI18375

  • Reported component name

    CICS TS Z/OS V5

  • Reported component ID

    5655Y0400

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2014-05-20

  • Closed date

    2014-08-13

  • Last modified date

    2015-03-19

  • APAR is sysrouted FROM one or more of the following:

    PI15836

  • APAR is sysrouted TO one or more of the following:

    UI20509 UI20510

Modules/Macros

  • DFHMESOC DFHMESOE DFHMESOK DFHSOSE
    

Publications Referenced
GC34286200GC34728400   

Fix information

  • Fixed component name

    CICS TS Z/OS V5

  • Fixed component ID

    5655Y0400

Applicable component levels

  • R800 PSY UI20509

       UP14/08/21 P F408

  • R900 PSY UI20510

       UP14/08/21 P F408

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.1","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
19 March 2015