PJ41171: ENHANCE THE Z/TPF HTTP SERVER.
Closed as program error.
See Problem Summary.
APAR NUMBER: PJ41171 PRODUCT: z/TPF FUNCTIONAL AREA: z/TPF HTTP Server SHIPPED IN PUT: 10 ABSTRACT: Add Secure Sockets Layer (SSL) support to the z/TPF HTTP server. PACKAGE CONTENTS: Source Segments: (C) base/cntl/tpf_app_base.cntl (C) base/include/tpf/ihtps.h (C) base/include/tpf/inetdssl.h (C) base/include/tpf/i_netd.h (C) base/macro/ihtps.mac (C) base/openssl/tpfssl/csslac.c (N) base/rt/chs1.c (N) base/rt/chs1.mak (N) base/rt/chsr.c (N) base/rt/chsr.mak (C) base/rt/cht1.c (C) base/rt/cht2.c (C) base/rt/cht3.c (C) base/rt/cht3.mak (C) base/rt/chti.mak (C) base/rt/chti1.c (C) base/rt/chti4.c (C) base/rt/chti5.c (C) base/rt/chti6.c (C) base/rt/chti8.c (C) base/rt/chts.c (C) base/rt/chts.mak (C) base/rt/chtz.c (C) base/rt/cinet1.c (C) base/rt/cinet2.c (C) base/rt/cinet4.c (C) base/rt/cinet5.c (C) base/rt/cinetc.c (C) base/rt/cltc.mak (C) base/rt/cltv.mak (C) base/rt/cltx.mak Object Only Binaries: None. Configuration Independent Binaries: (C) base/lib/libCHT2.so (N) base/lib/libCHT3.so (C) base/lib/libCHTI.so (C) base/lib/libCHTS.so (C) base/lib/libCLTC.so (C) base/lib/libCLTV.so (C) base/lib/libCLTY.so (N) base/load/CHS1.so (N) base/load/CHSR.so (C) base/load/CHT1.so (C) base/load/CHT2.so (C) base/load/CHT3.so (C) base/load/CHTI.so (C) base/load/CHTS.so (C) base/load/CHTZ.so (C) base/load/CLTC.so (C) base/load/CLTV.so (C) base/load/CLTX.so (C) base/load/CLTY.so (N) base/obj/chs1.o (N) base/obj/chsr.o (C) base/obj/cht1.o (C) base/obj/cht2.o (C) base/obj/cht3.o (C) base/obj/chti1.o (C) base/obj/chti4.o (C) base/obj/chti5.o (C) base/obj/chti6.o (C) base/obj/chti8.o (C) base/obj/chts.o (C) base/obj/chtz.o (C) base/obj/cinet1.o (C) base/obj/cinet2.o (C) base/obj/cinet4.o (C) base/obj/cinet5.o (C) base/obj/cinetc.o (C) base/openssl/load/CSL7.so (C) base/openssl/obj/csslac.o Support Files: base/lst/chs1.lst base/lst/chsr.lst base/lst/cht1.lst base/lst/cht2.lst base/lst/cht3.lst base/lst/chti1.lst base/lst/chti4.lst base/lst/chti5.lst base/lst/chti6.lst base/lst/chti8.lst base/lst/chts.lst base/lst/chtz.lst base/lst/cinet1.lst base/lst/cinet2.lst base/lst/cinet4.lst base/lst/cinet5.lst base/lst/cinetc.lst base/lst/CHS1.map base/lst/CHSR.map base/lst/CHT1.map base/lst/CHT2.map base/lst/CHT3.map base/lst/CHTI.map base/lst/CHTS.map base/lst/CHTZ.map base/lst/CLTC.map base/lst/CLTV.map base/lst/CLTX.map base/lst/CLTY.map base/openssl/lst/csslac.lst base/openssl/lst/CSL7.map OTHER BINARIES TO BUILD: YES (C) <sys>/load/IPAT.so (C) <sys>/stdlib/libTPFSTUB.so (C) <sys>/stdload/TPFSTUB.so (C) <sys>/obj/ipat.o COMMENTS: APAR PJ39252 added z/TPF HTTP server support to z/TPF. This APAR provided an alternative HTTP transport mechanism on z/TPF to the Apache 1.3 or Apache 2.3 open source HTTP servers. The z/TPF HTTP server provided limited support of the published HTTP/1.1 standard in RFC 2616, but it did not provide SSL support, which is a common feature of HTTP servers to encrypt and decrypt HTTP requests and responses as the data is transmitted on an HTTP connection. This APAR also addresses the following problems in the z/TPF base: 1. SSL_aor() processing in program csslac.c (CSL7) incorrectly tests for an SSL_aor() timeout. Program csslac.c tests the CE2TCPIP_TIMED_OUT byte in page 2 of the ECB for the value of 1 (X'01') instead of the bit setting of X'08'. Because the code tests for X'01' instead of X'08', the SSL_aor() timeout flag in ECB field EBW020 is not set to 1. As a result, SSL applications that issue the SSL_aor() function will not be notified that the function has timed out. 2. If an HTTP server configuration file is updated for an active HTTP server, the value of the maximum HTTP message size in the new file is applied to existing HTTP connections for that server. As a result, HTTP requests that had been accepted by the server before the configuration change may fail as the result of the change in the maximum message size. The z/TPF documentation in z/TPF TCP/IP indicates that existing client connections continue to use the configuration data that was in effect when the connection was established, and new client connections use the new configuration information. This problem was introduced by z/TPF APAR PJ39252. 3. The z/TPF HTTP server may return a status code of 400 to the client if the client sends an HTTP request large enough for the header area to be broken into separate pieces of data. When the second piece of data arrives, the server may parse the header area incorrectly, resulting in the 400 status code being returned to the client bv the server. This problem was introduced by z/TPF APAR PJ39252. 4. If program cinetc.c is unable to assign a socket to an SSL structure with the SSL_set_fd() function, error message INET0141E is issued, and the associated SSL session is closed. The problem is that program cinetc.c issues two consecutive unlkc() function calls to unlock the Internet Daemon Control Table (IDCT) without relocking the IDCT. As a result, an OPR-573 system error occurs. This problem was introduced by z/TPF APAR PJ41170. 5.SOAP request sent into to a z/TPF HTTP server can be rejected with a response including a status code of 400. This is due to the array of headers in the tpf_httpsvr_req structure (field headerlist) passed from CHT3 to CS0H not having a null-terminator at the end of the array.
SOLUTION: SSL support has been added to the z/TPF HTTP server with this enhancement. Users of the new support will need to apply APAR PJ41170, which added the new Internet Daemon (INETD) model to the z/TPF base. The INETD SSL model will invoke the SSL HTTP server code in program chs1.c when the model accepts an SSL client connection from an HTTP client. Program chs1.c will enter program chsr.c to issue SSL_read() function calls to decrypt encrypted HTTP requests. If program chsr.c successfully parses the HTTP request, it enters the HTTP application program associated with the URL in the HTTP request. The HTTP application program then issues the tpf_httpSendResponse() function to send the response to z/TPF HTTP server program chts.c, which issues an SSL_write() function to send the encrypted HTTP response to the HTTP client. ZHTPS DISPLAY command processing has been updated to include a column in its display to indicate if a z/TPF HTTP server is using SSL. Configuration procedures for the z/TPF SSL HTTP server are similar to the procedures for the z/TPF non-SSL HTTP server: 1. Enter ZINET ADD command to define SSL HTTP server with the model parameter set to SSL and the PGM parameter set to CHS1. 2. Create a server application file and FTP the file in ASCII format to the /etc/tpf_httpserver directory of the server's subsystem. 3. Create a URL program mapping file and FTP the file in ASCII format to the /etc/tpf_httpserver directory of the server's subsystem. 4. Create an SSL application configuration file for SSL and FTP the file in ASCII format to the /etc/ssl/inetd directory of the BSS file system. 5. Start the SSL HTTP server with the ZINET START command or by cycling the system to CRAS state or above. The following problems in the z/TPF base have been resolved: 1. SSL_aor() processing in program csslac.c has been updated to correctly check the X'08' bit for an SSL_aor() timeout condition. 2. The z/TPF HTTP server processing has been changed to ensure that new configuration information for an HTTP server is only applied to new client connections rather than existing client connections. 3. The z/TPF HTTP server parser has been changed to correctly parse an HTTP request in which the header area is received by the server in multiple pieces as a result of the size of the request and the processing of the TCP/IP native stack code. 4. The code that processes an error from the SSL_set_fd() function in program cinetc.c has been changed to only issue one unlkc() function in the event of an error from the function. 5.CHT3 now allocates an additional byte for the array of headers passed to the HTTP application and sets that extra byte as x'00' to provide a null-terminator at the end of the array. COREQS: NO None. MIGRATION CONSIDERATIONS: YES Functional, automation, and operation changes: Updated commands: ZHTPS DISPLAY - New column specifies whether an HTTP server is using SSL. ZINET ADD - Now accepts CHS1 for the PGM parameter when an SSL HTTP server is being defined for INETD. New messages: INET0150E INET0151E INET0152E INET0153E Changed Messages: HTPS0001I Installation validation: To verify installation of this support, application code must be available to send encrypted SSL requests from an SSL HTTP client on one system to the z/TPF SSL HTTP server. On the system that contains the z/TPF HTTP server, an HTTP application must be available to receive the decrypted HTTP request from the z/TPF HTTP server and to issue a tpf_httpSendResponse() to send an HTTP response to the SSL client. Enter the following command: ZHTPS DISP ALL (should show new SSL column for server information display). ZINET ADD S-<servername> with PGM-CHS1 and MODEL-SSL to define an z/TPF SSL HTTP server (should be accepted without error). Performance or tuning changes: For SSL and non-SSL support, the z/TPF HTTP server now records HTTP requests received and HTTP responses sent on a server basis in the TCP/IP network services database. To record performance information for a particular HTTP server, add server entry with its port number and server name to services file in the /etc directory of the BSS. Then, enter ZIPDB REFRESH to refresh the TCP/IP network services database and ZIPDB MESSAGES ALL to display messages rates for a particular HTTP server. Performance information can also be observed by running data collection and analyzing TCP/IP network services information in data reduction reports produced by data collection. Coexistence, migration, and fallback considerations: HTTP server applications that were written for the existing (non-SSL) z/TPF HTTP servers do not need to be changed to work with a z/TPF SSL HTTP server. On a z/TPF system, SSL and non-SSL z/TPF HTTP servers and Apache servers can accept client connections and send and receive data simultaneously. BUILD COMMANDS AND INSTRUCTIONS: YES #maketpf commands for linux maketpf -f CLTY cinet2.o cinet5.o maketpf -f CLTC cinetc.o maketpf -f CLTV cinet1.o maketpf -f CLTX cinet4.o maketpf -f CSL7 csslac.o maketpf -f CHTI chti1.o chti4.o chti5.o chti6.o chti8.o maketpf -f CHTS chts.o maketpf -f CHT2 cht2.o maketpf -f CHS1 chs1.o maketpf -f CHT3 cht3.o maketpf -f CHSR chsr.o maketpf -f CHT1 cht1.o maketpf -f CHTZ chtz.o maketpf -f TPFSTUB link maketpf -f IPAT maketpf CLTY link TPF_VERIFY_LINK_REFS=NO maketpf CLTC link TPF_VERIFY_LINK_REFS=NO maketpf CLTV link maketpf CLTX link TPF_VERIFY_LINK_REFS=NO maketpf CSL7 link maketpf CHTI link maketpf CHTS link maketpf CHT2 link maketpf CHS1 link maketpf CHT3 link maketpf CHSR link maketpf CHT1 link maketpf CHTZ link maketpf CLTY link maketpf CLTC link maketpf CLTX link UPDATED INFORMATION UNITS: YES z/TPF and z/TPFDF Migration Guide: PUT 2 and Later z/TPF Messages (Online, SQLCODEs, and errno Values) z/TPF Operations z/TPF Security z/TPF TCP/IP See your IBM representative if you need additional information. DOWNLOAD INSTRUCTIONS: http://www.ibm.com/software/htp/tpf/maint/maintztpf.html APAR URL: http://www.ibm.com/software/htp/tpf/ztpfmaint/put10/PJ41171.htm
Reported component name
Reported component ID
NoSpecatt / Xsystem
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fixed component name
Fixed component ID
Applicable component levels