IBM Support

PI70495: FTP - FCXXXX AUTHSERVER: GSK_DECODE_BASE64 FAILED WITH RC = 53817375 (INCORRECT BASE64 ENCODING) - SSL SESSION ID.

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • In native SSL/TLS for FTP, the FTP server is not able to
    properly decode the Base64-encoded version of an SSL session
    identifier(GSK_SID_VALUE) which was specified as a parameter on
    the z/OS Cryptographic Services System SSL API call:
    gsk_attribute_get_buffer().
    
    
    BACK-GROUND:
    
    gsk_attribute_get_buffer():
    
      - this routine will return a buffer value for an SSL
        environment or an SSL connection.
    
    GSK_SID_VALUE:
    
      - a buffer identifier that is specified as a parameter on the
        gsk_attribute_get_buffer(). It returns the Base64-encoded
        version of session identifier.This may be specified only for
        an SSL connection.
    
     *** When the SSL connection is not initialized, the
         GSK_SID_VALUE that is returned is either the session ID
         specified on a previous gsk_attribute_set_buffer()
         invocation or NULL!
    
    
    The session ID length is not being evaluated and or tested
    before trying to process the session ID(); that is decoding the
    Base64-encoded version of the session ID that was returned from
    the gsk_attribute_get_buffer API call. If session ID length is
    NULL dont call the gsk_decode_base64() routine.
    
    additional symptoms:
    
    FTP Client/Server protected with AT-TLS (ATTLS) also experience
    this issue. In an ATTLS environment a packet on the zOS FTP
    client side shows a RESET packet being sent after a 1403
    (change_cipher_spec) was received from the remote server
    
    ADDITIONAL SYMPTOMS:
    EZD1284I RC: 7375 Get GSK_DECODE_BASE64
    EZD1287I RC: 7375 Initial Handshake
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * All users of the IBM Communications Server for z/OS Version  *
    * 2 Releases 2: FTP                                            *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * An FTP connection using native SSL or ATTLS receives a       *
    * GSK_DECODE_BASE64 error when trying to authenticate.         *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Apply PTF.                                                   *
    ****************************************************************
    When the FTP client issues an AUTH TLS command,
    gsk_decode_base64 is called to decode the session id of the
    connection that can later be used in SMF recording. If the
    session id is null, it can cause the gsk_decode_base64 call to
    fail.
    

Problem conclusion

  • FTP and ATTLS codes have been updated to check that the session
    id is non-null before calling GSK to decode it.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI70495

  • Reported component name

    Z/MF CONFIG ASS

  • Reported component ID

    5655S28CA

  • Reported release

    220

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-10-11

  • Closed date

    2016-12-05

  • Last modified date

    2017-02-01

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UI43089

Modules/Macros

  • EZAFTPFU EZAFTPFC EZAFTPFR EZBTLRTN
    

Fix information

  • Fixed component name

    TCP/IP V3 MVS

  • Fixed component ID

    5655HAL00

Applicable component levels

  • R220 PSY UI43089

       UP17/01/26 P F701

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"220","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSCY4DZ","label":"DO NOT USE"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"220","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
01 February 2017