A fix is available
APAR status
Closed as program error.
Error description
In native SSL/TLS for FTP, the FTP server is not able to properly decode the Base64-encoded version of an SSL session identifier(GSK_SID_VALUE) which was specified as a parameter on the z/OS Cryptographic Services System SSL API call: gsk_attribute_get_buffer(). BACK-GROUND: gsk_attribute_get_buffer(): - this routine will return a buffer value for an SSL environment or an SSL connection. GSK_SID_VALUE: - a buffer identifier that is specified as a parameter on the gsk_attribute_get_buffer(). It returns the Base64-encoded version of session identifier.This may be specified only for an SSL connection. *** When the SSL connection is not initialized, the GSK_SID_VALUE that is returned is either the session ID specified on a previous gsk_attribute_set_buffer() invocation or NULL! The session ID length is not being evaluated and or tested before trying to process the session ID(); that is decoding the Base64-encoded version of the session ID that was returned from the gsk_attribute_get_buffer API call. If session ID length is NULL dont call the gsk_decode_base64() routine. additional symptoms: FTP Client/Server protected with AT-TLS (ATTLS) also experience this issue. In an ATTLS environment a packet on the zOS FTP client side shows a RESET packet being sent after a 1403 (change_cipher_spec) was received from the remote server ADDITIONAL SYMPTOMS: EZD1284I RC: 7375 Get GSK_DECODE_BASE64 EZD1287I RC: 7375 Initial Handshake
Local fix
N/A
Problem summary
**************************************************************** * USERS AFFECTED: * * All users of the IBM Communications Server for z/OS Version * * 2 Releases 2: FTP * **************************************************************** * PROBLEM DESCRIPTION: * * An FTP connection using native SSL or ATTLS receives a * * GSK_DECODE_BASE64 error when trying to authenticate. * **************************************************************** * RECOMMENDATION: * * Apply PTF. * **************************************************************** When the FTP client issues an AUTH TLS command, gsk_decode_base64 is called to decode the session id of the connection that can later be used in SMF recording. If the session id is null, it can cause the gsk_decode_base64 call to fail.
Problem conclusion
FTP and ATTLS codes have been updated to check that the session id is non-null before calling GSK to decode it.
Temporary fix
Comments
APAR Information
APAR number
PI70495
Reported component name
Z/MF CONFIG ASS
Reported component ID
5655S28CA
Reported release
220
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-10-11
Closed date
2016-12-05
Last modified date
2017-02-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UI43089
Modules/Macros
EZAFTPFU EZAFTPFC EZAFTPFR EZBTLRTN
Fix information
Fixed component name
TCP/IP V3 MVS
Fixed component ID
5655HAL00
Applicable component levels
R220 PSY UI43089
UP17/01/26 P F701
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"220","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSCY4DZ","label":"DO NOT USE"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"220","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
01 February 2017