PJ41171: ENHANCE THE Z/TPF HTTP SERVER.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • See Problem Summary.
    

Local fix

  • n/a
    

Problem summary

  • APAR NUMBER:  PJ41171
    PRODUCT:  z/TPF
    FUNCTIONAL AREA:  z/TPF HTTP Server
    SHIPPED IN PUT:  10
    
    ABSTRACT:
    Add Secure Sockets Layer (SSL) support to the z/TPF HTTP server.
    
    PACKAGE CONTENTS:
    Source Segments:
    (C) base/cntl/tpf_app_base.cntl
    (C) base/include/tpf/ihtps.h
    (C) base/include/tpf/inetdssl.h
    (C) base/include/tpf/i_netd.h
    (C) base/macro/ihtps.mac
    (C) base/openssl/tpfssl/csslac.c
    (N) base/rt/chs1.c
    (N) base/rt/chs1.mak
    (N) base/rt/chsr.c
    (N) base/rt/chsr.mak
    (C) base/rt/cht1.c
    (C) base/rt/cht2.c
    (C) base/rt/cht3.c
    (C) base/rt/cht3.mak
    (C) base/rt/chti.mak
    (C) base/rt/chti1.c
    (C) base/rt/chti4.c
    (C) base/rt/chti5.c
    (C) base/rt/chti6.c
    (C) base/rt/chti8.c
    (C) base/rt/chts.c
    (C) base/rt/chts.mak
    (C) base/rt/chtz.c
    (C) base/rt/cinet1.c
    (C) base/rt/cinet2.c
    (C) base/rt/cinet4.c
    (C) base/rt/cinet5.c
    (C) base/rt/cinetc.c
    (C) base/rt/cltc.mak
    (C) base/rt/cltv.mak
    (C) base/rt/cltx.mak
    
    Object Only Binaries:
    None.
    
    Configuration Independent Binaries:
    (C) base/lib/libCHT2.so
    (N) base/lib/libCHT3.so
    (C) base/lib/libCHTI.so
    (C) base/lib/libCHTS.so
    (C) base/lib/libCLTC.so
    (C) base/lib/libCLTV.so
    (C) base/lib/libCLTY.so
    (N) base/load/CHS1.so
    (N) base/load/CHSR.so
    (C) base/load/CHT1.so
    (C) base/load/CHT2.so
    (C) base/load/CHT3.so
    (C) base/load/CHTI.so
    (C) base/load/CHTS.so
    (C) base/load/CHTZ.so
    (C) base/load/CLTC.so
    (C) base/load/CLTV.so
    (C) base/load/CLTX.so
    (C) base/load/CLTY.so
    (N) base/obj/chs1.o
    (N) base/obj/chsr.o
    (C) base/obj/cht1.o
    (C) base/obj/cht2.o
    (C) base/obj/cht3.o
    (C) base/obj/chti1.o
    (C) base/obj/chti4.o
    (C) base/obj/chti5.o
    (C) base/obj/chti6.o
    (C) base/obj/chti8.o
    (C) base/obj/chts.o
    (C) base/obj/chtz.o
    (C) base/obj/cinet1.o
    (C) base/obj/cinet2.o
    (C) base/obj/cinet4.o
    (C) base/obj/cinet5.o
    (C) base/obj/cinetc.o
    (C) base/openssl/load/CSL7.so
    (C) base/openssl/obj/csslac.o
    
    Support Files:
    base/lst/chs1.lst
    base/lst/chsr.lst
    base/lst/cht1.lst
    base/lst/cht2.lst
    base/lst/cht3.lst
    base/lst/chti1.lst
    base/lst/chti4.lst
    base/lst/chti5.lst
    base/lst/chti6.lst
    base/lst/chti8.lst
    base/lst/chts.lst
    base/lst/chtz.lst
    base/lst/cinet1.lst
    base/lst/cinet2.lst
    base/lst/cinet4.lst
    base/lst/cinet5.lst
    base/lst/cinetc.lst
    base/lst/CHS1.map
    base/lst/CHSR.map
    base/lst/CHT1.map
    base/lst/CHT2.map
    base/lst/CHT3.map
    base/lst/CHTI.map
    base/lst/CHTS.map
    base/lst/CHTZ.map
    base/lst/CLTC.map
    base/lst/CLTV.map
    base/lst/CLTX.map
    base/lst/CLTY.map
    base/openssl/lst/csslac.lst
    base/openssl/lst/CSL7.map
    
    OTHER BINARIES TO BUILD: YES
    (C) <sys>/load/IPAT.so
    (C) <sys>/stdlib/libTPFSTUB.so
    (C) <sys>/stdload/TPFSTUB.so
    (C) <sys>/obj/ipat.o
    COMMENTS:
    APAR PJ39252 added z/TPF HTTP server support to z/TPF. This
    APAR provided an alternative HTTP transport mechanism on z/TPF
    to the Apache 1.3 or Apache 2.3 open source HTTP servers. The
    z/TPF HTTP server provided limited support of the published
    HTTP/1.1 standard in RFC 2616, but it did not provide SSL
    support, which is a common feature of HTTP servers to encrypt
    and decrypt HTTP requests and responses as the data is
    transmitted on an HTTP connection.
    This APAR also addresses the following problems in the z/TPF
    base:
    1. SSL_aor() processing in program csslac.c (CSL7) incorrectly
    tests for an SSL_aor() timeout. Program csslac.c tests the
    CE2TCPIP_TIMED_OUT byte in page 2 of the ECB for the value of 1
    (X'01') instead of the bit setting of X'08'. Because the code
    tests for X'01' instead of X'08', the SSL_aor() timeout flag in
    ECB field EBW020 is not set to 1. As a result, SSL applications
    that issue the SSL_aor() function will not be notified that the
    function has timed out.
    2. If an HTTP server configuration file is updated for an
    active HTTP server, the value of the maximum HTTP message size
    in the new file is applied to existing HTTP connections for
    that server. As a result, HTTP requests that had been accepted
    by the server before the configuration change may fail as the
    result of the change in the maximum message size. The z/TPF
    documentation in z/TPF TCP/IP indicates that existing client
    connections continue to use the configuration data that was in
    effect when the connection was established, and new client
    connections use the new configuration information. This problem
    was introduced by z/TPF APAR PJ39252.
    3. The z/TPF HTTP server may return a status code of 400 to the
    client if the client sends an HTTP request large enough for the
    header area to be broken into separate pieces of data. When the
    second piece of data arrives, the server may parse the header
    area incorrectly, resulting in the 400 status code being
    returned to the client bv the server. This problem was
    introduced by z/TPF APAR PJ39252.
    4. If program cinetc.c is unable to assign a socket to an SSL
    structure with the SSL_set_fd() function, error message
    INET0141E is issued, and the associated SSL session is closed.
    The problem is that program cinetc.c issues two consecutive
    unlkc() function calls to unlock the Internet Daemon Control
    Table (IDCT) without relocking the IDCT. As a result, an
    OPR-573 system error occurs. This problem was introduced by
    z/TPF APAR PJ41170.
    5.SOAP request sent into to a z/TPF HTTP server can be rejected
    with a response including a status code of 400. This is due to
    the array of headers in the tpf_httpsvr_req structure (field
    headerlist) passed from CHT3 to CS0H not having a
    null-terminator at the end of the array.
    

Problem conclusion

  • SOLUTION:
    SSL support has been added to the z/TPF HTTP server with this
    enhancement. Users of the new support will need to apply APAR
    PJ41170, which added the new Internet Daemon (INETD) model to
    the z/TPF base. The INETD SSL model will invoke the SSL HTTP
    server code in program chs1.c when the model accepts an SSL
    client connection from an HTTP client. Program chs1.c will
    enter program chsr.c to issue SSL_read() function calls to
    decrypt encrypted HTTP requests. If program chsr.c successfully
    parses the HTTP request, it enters the HTTP application program
    associated with the URL in the HTTP request. The HTTP
    application program then issues the tpf_httpSendResponse()
    function to send the response to z/TPF HTTP server program
    chts.c, which issues an SSL_write() function to send the
    encrypted HTTP response to the HTTP client.
    ZHTPS DISPLAY command processing has been updated to include a
    column in its display to indicate if a z/TPF HTTP server is
    using SSL.
    Configuration procedures for the z/TPF SSL HTTP server are
    similar to the procedures for the z/TPF non-SSL HTTP server:
    1. Enter ZINET ADD command to define SSL HTTP server with the
    model parameter set to SSL and the PGM parameter set to CHS1.
    2. Create a server application file and FTP the file in ASCII
    format to the /etc/tpf_httpserver directory of the server's
    subsystem.
    3. Create a URL program mapping file and FTP the file in ASCII
    format to the /etc/tpf_httpserver directory of the server's
    subsystem.
    4. Create an SSL application configuration file for SSL and FTP
    the file in ASCII format to the /etc/ssl/inetd directory of the
    BSS file system.
    5. Start the SSL HTTP server with the ZINET START command or by
    cycling the system to CRAS state or above.
    The following problems in the z/TPF base have been resolved:
    1. SSL_aor() processing in program csslac.c has been updated to
    correctly check the X'08' bit for an SSL_aor() timeout
    condition.
    2. The z/TPF HTTP server processing has been changed to ensure
    that new configuration information for an HTTP server is only
    applied to new client connections rather than existing client
    connections.
    3. The z/TPF HTTP server parser has been changed to correctly
    parse an HTTP request in which the header area is received by
    the server in multiple pieces as a result of the size of the
    request and the processing of the TCP/IP native stack code.
    4. The code that processes an error from the SSL_set_fd()
    function in program cinetc.c has been changed to only issue one
    unlkc() function in the event of an error from the function.
    5.CHT3 now allocates an additional byte for the array of
    headers passed to the HTTP application and sets that extra byte
    as x'00' to provide a null-terminator at the end of the array.
    
    COREQS: NO
    None.
    
    MIGRATION CONSIDERATIONS: YES
    Functional, automation, and operation changes:
    Updated commands:
    ZHTPS DISPLAY - New column specifies whether an HTTP server is
    using SSL.
    ZINET ADD     - Now accepts CHS1 for the PGM parameter when an
    SSL HTTP server is being
                    defined for INETD.
    New messages:
    INET0150E
    INET0151E
    INET0152E
    INET0153E
    Changed Messages:
    HTPS0001I
    Installation validation:
    To verify installation of this support, application code must
    be available to send encrypted SSL requests from an SSL HTTP
    client on one system to the z/TPF SSL HTTP server.  On the
    system that contains the z/TPF HTTP server, an HTTP application
    must be available to receive the decrypted HTTP request from
    the z/TPF HTTP server and to issue a tpf_httpSendResponse() to
    send an HTTP response to the SSL client.
    Enter the following command:
    ZHTPS DISP ALL (should show new SSL column for server
    information display).
    ZINET ADD S-<servername> with PGM-CHS1 and MODEL-SSL to define
    an z/TPF SSL HTTP server (should be accepted without error).
    Performance or tuning changes:
    For SSL and non-SSL support, the z/TPF HTTP server now records
    HTTP requests received and HTTP responses sent on a server
    basis in the TCP/IP network services database. To record
    performance information for a particular HTTP server, add
    server entry with its port number and server name to services
    file in the /etc directory of the BSS. Then, enter ZIPDB
    REFRESH to refresh the TCP/IP network services database and
    ZIPDB MESSAGES ALL  to display messages rates for a particular
    HTTP server.  Performance information can also be observed by
    running data collection and analyzing TCP/IP network services
    information in data reduction reports produced by data
    collection.
    Coexistence, migration, and fallback considerations:
    HTTP server applications that were written for the existing
    (non-SSL) z/TPF HTTP servers do not need to be changed to work
    with a z/TPF SSL HTTP server.
    On a z/TPF system, SSL and non-SSL z/TPF HTTP servers and
    Apache servers can accept client connections and send and
    receive data simultaneously.
    
    BUILD COMMANDS AND INSTRUCTIONS: YES
    #maketpf commands for linux
    maketpf -f CLTY cinet2.o cinet5.o
    maketpf -f CLTC cinetc.o
    maketpf -f CLTV cinet1.o
    maketpf -f CLTX cinet4.o
    maketpf -f CSL7 csslac.o
    maketpf -f CHTI chti1.o chti4.o chti5.o chti6.o chti8.o
    maketpf -f CHTS chts.o
    maketpf -f CHT2 cht2.o
    maketpf -f CHS1 chs1.o
    maketpf -f CHT3 cht3.o
    maketpf -f CHSR chsr.o
    maketpf -f CHT1 cht1.o
    maketpf -f CHTZ chtz.o
    maketpf -f TPFSTUB link
    maketpf -f IPAT
    maketpf CLTY link TPF_VERIFY_LINK_REFS=NO
    maketpf CLTC link TPF_VERIFY_LINK_REFS=NO
    maketpf CLTV link
    maketpf CLTX link TPF_VERIFY_LINK_REFS=NO
    maketpf CSL7 link
    maketpf CHTI link
    maketpf CHTS link
    maketpf CHT2 link
    maketpf CHS1 link
    maketpf CHT3 link
    maketpf CHSR link
    maketpf CHT1 link
    maketpf CHTZ link
    maketpf CLTY link
    maketpf CLTC link
    maketpf CLTX link
    
    UPDATED INFORMATION UNITS: YES
    z/TPF and z/TPFDF Migration Guide: PUT 2 and Later
    z/TPF Messages (Online, SQLCODEs, and errno Values)
    z/TPF Operations
    z/TPF Security
    z/TPF TCP/IP
    
    See your IBM representative if you need additional information.
    
    DOWNLOAD INSTRUCTIONS:
    http://www.ibm.com/software/htp/tpf/maint/maintztpf.html
    
    APAR URL:
    http://www.ibm.com/software/htp/tpf/ztpfmaint/put10/PJ41171.htm
    

Temporary fix

Comments

APAR Information

  • APAR number

    PJ41171

  • Reported component name

    Z/TPF

  • Reported component ID

    5748T1501

  • Reported release

    110

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-04-19

  • Closed date

    2013-11-04

  • Last modified date

    2013-11-04

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Publications Referenced
SK2T8062        

Fix information

  • Fixed component name

    Z/TPF

  • Fixed component ID

    5748T1501

Applicable component levels

  • R110 PSY

       UP



Rate this page:

(0 users)Average rating

Document information


More support for:

TPF
z/TPF

Software version:

110

Reference #:

PJ41171

Modified date:

2013-11-04

Translate my page

Machine Translation

Content navigation