IBM Support

PJ45258: Enhancement to support Transport Layer Security (TLS) for High Speed Connector and Enhanced HTTP Client.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as new function.

Error description

  • See Problem Summary.
    

Local fix

  • N/A
    

Problem summary

  • APAR NUMBER:  PJ45258
    PRODUCT:  z/TPF
    FUNCTIONAL AREA:  HTTP CLIENT
    SHIPPED IN PUT:  15
    
    ABSTRACT:
    Enhancement to support Transport Layer Security (TLS) for High
    Speed Connector and Enhanced HTTP Client.
    
    PACKAGE CONTENTS:
    Source Segments:
    (C) base/cntl/tpf_app_base.cntl
    (C) base/exp/COMX.exp
    (C) base/include/sys/ioctl.h
    (C) base/include/tpf/c_https.h
    (C) base/include/tpf/ihtpc.h
    (C) base/include/tpf/iwodmept.h
    (C) base/include/tpf/i_pwbl.h
    (C) base/macro/ipwbl.mac
    (C) base/openssl/csl5.mak
    (C) base/openssl/tpfssl/csslao.c
    (C) base/openssl/tpfssl/csslar.c
    (C) base/openssl/tpfssl/csslcs.c
    (C) base/openssl/tpfssl/csslqo.c
    (C) base/openssl/tpfssl/csslrd.c
    (C) base/openssl/tpfssl/csslwb.c
    (C) base/openssl/tpfssl/csslwt.c
    (C) base/openssl/tpfssl/headers/tpf/i_issl.h
    (C) base/openssl/tpfssl/tpf_ssl_cssl.c
    (C) base/rt/c524.c
    (C) base/rt/cdma.mak
    (C) base/rt/cdmf.mak
    (C) base/rt/cdmg.mak
    (C) base/rt/cht2.c
    (C) base/rt/chte.mak
    (C) base/rt/chtt.c
    (C) base/rt/conc.mak
    (C) base/rt/conh.mak
    (C) base/rt/conm.cpp
    (C) base/rt/conn_command.cpp
    (C) base/rt/conn_heartbeat_monitor.c
    (C) base/rt/conn_send_message.c
    (C) base/rt/cons.mak
    (C) base/rt/ctsi.asm
    (C) base/rt/ept_connect.cpp
    (C) base/rt/ept_monitor.c
    (C) base/rt/ept_register.cpp
    (C) base/rt/ept_util.c
    (C) base/rt/httpc_curl_handle.c
    (C) base/rt/httpc_daemon_master.c
    (C) base/rt/httpSendRequest.c
    (N) base/rt/httpSendUtils.c
    (C) base/tpf-fdes/schema/tpf_endpoint_schema.xsd
    
    Object Only Binaries:
    None.
    
    Configuration Independent Binaries:
    (C) base/lib/libCDMA.so
    (C) base/lib/libCHT2.so
    (C) base/lib/libCHTE.so
    (C) base/lib/libCONC.so
    (C) base/lib/libCONM.so
    (C) base/lib/libCONS.so
    (C) base/load/CDMA.so
    (C) base/load/CDMD.so
    (C) base/load/CDMF.so
    (C) base/load/CDMG.so
    (C) base/load/CHT2.so
    (C) base/load/CHTE.so
    (C) base/load/CHTT.so
    (C) base/load/CONC.so
    (C) base/load/CONH.so
    (C) base/load/CONM.so
    (C) base/load/CONS.so
    (C) base/load/CTSI.so
    (C) base/obj/c524.o
    (C) base/obj/cht2.o
    (C) base/obj/chtt.o
    (C) base/obj/conm.o
    (C) base/obj/conn_command.o
    (C) base/obj/conn_heartbeat_monitor.o
    (C) base/obj/conn_send_message.o
    (C) base/obj/ctsi.o
    (C) base/obj/ept_connect.o
    (C) base/obj/ept_monitor.o
    (C) base/obj/ept_register.o
    (C) base/obj/ept_util.o
    (C) base/obj/httpSendRequest.o
    (N) base/obj/httpSendUtils.o
    (C) base/openssl/lib/libCSL5.so
    (C) base/openssl/lib/libCSL6.so
    (C) base/openssl/lib/libCSSL.so
    (C) base/openssl/load/CSL2.so
    (C) base/openssl/load/CSL5.so
    (C) base/openssl/load/CSL6.so
    (C) base/openssl/load/CSSL.so
    (C) base/openssl/obj/csslao.o
    (C) base/openssl/obj/csslar.o
    (C) base/openssl/obj/csslcs.o
    (C) base/openssl/obj/csslqo.o
    (C) base/openssl/obj/csslrd.o
    (C) base/openssl/obj/csslwb.o
    (C) base/openssl/obj/csslwt.o
    (C) base/openssl/obj/tpf_ssl_cssl.o
    (C) base/stdlib/libCOMX.so
    (C) base/stdload/COMX.so
    
    Support Files:
    base/lst/c524.lst
    base/lst/cht2.lst
    base/lst/chtt.lst
    base/lst/conm.lst
    base/lst/conn_command.lst
    base/lst/conn_heartbeat_monitor.lst
    base/lst/conn_send_message.lst
    base/lst/ctsi.lst
    base/lst/CDMA.map
    base/lst/CDMD.map
    base/lst/CDMF.map
    base/lst/CDMG.map
    base/lst/CHT2.map
    base/lst/CHTE.map
    base/lst/CHTT.map
    base/lst/COMX.map
    base/lst/CONC.map
    base/lst/CONH.map
    base/lst/CONM.map
    base/lst/CONS.map
    base/lst/CTSI.map
    base/lst/ept_connect.lst
    base/lst/ept_monitor.lst
    base/lst/ept_register.lst
    base/lst/ept_util.lst
    base/lst/httpSendRequest.lst
    base/lst/httpSendUtils.lst
    base/openssl/lst/csslao.lst
    base/openssl/lst/csslar.lst
    base/openssl/lst/csslcs.lst
    base/openssl/lst/csslqo.lst
    base/openssl/lst/csslrd.lst
    base/openssl/lst/csslwb.lst
    base/openssl/lst/csslwt.lst
    base/openssl/lst/CSL2.map
    base/openssl/lst/CSL5.map
    base/openssl/lst/CSL6.map
    base/openssl/lst/CSSL.map
    base/openssl/lst/tpf_ssl_cssl.lst
    
    OTHER BINARIES TO BUILD: YES
    (C) <sys>/lib/libCHTD.so
    (C) <sys>/lib/libCHTF.so
    (C) <sys>/load/CHTD.so
    (C) <sys>/load/CHTF.so
    (C) <sys>/obj/httpc_curl_handle.o
    (C) <sys>/obj/httpc_daemon_master.o
    (C) os390/bin/ppcp.pds
    (C) os390/obj/stpp.o
    
    COMMENTS:
    APAR PJ43832 introduced the z/TPF high speed connector, which
    is a system managed group of connections to remote servers.
    With high speed connector, an application programmer can
    communicate with remote servers with a single z/TPF API called
    tpf_send_message or tpf_send_async_message. APAR PJ44733
    introduced the enhanced HTTP client support, which is a
    replacement for the existing HTTP client that leverages the
    high speed connector for persistent HTTP sessions to remote
    servers. HTTP client applications can send HTTP requests
    through high speed connector with a single function called
    tpf_httpSendRequest or tpf_httpSendAsyncRequest.
    
    The initial release of high speed connector and enhanced HTTP
    client did not include support for secure sessions using
    Transport Layer Security (TLS). In many cases, securing the
    data transferred through high speed connector and enhanced HTTP
    client is a requirement.
    

Problem conclusion

  • SOLUTION:
    APAR PJ45258 provides support for Transport Layer Security
    (TLS) of high speed connector and enhanced HTTP client
    connections to remote servers. A user can now configure groups
    of remote servers to be TLS enabled. Whether or not the high
    speed connector or enhanced HTTP client group is using TLS is
    transparent to the application. The application still makes a
    single call to send requests to remote servers.
    
    APAR PJ45258 also provides support for TLS enabled
    non-persistent enhanced HTTP client sessions. These are
    enhanced HTTP client sessions that do not leverage high speed
    connector for persistent sessions.
    
    In addition, APAR PJ45258 provides the following functionality:
    
    - The shared SSL code has been enhanced to propagate OpenSSL
    error queue information from the shared SSL daemons to the
    application ECB. With this support, an application that uses
    shared SSL will have better diagnostics when problems occur.
    
    - The shared SSL code has been updated to allow for
    non-blocking SSL_read and SSL_write. Before this enhancement, a
    shared SSL_read or SSL_write would be suspended by the system
    until the API times out or can be satisfied. Now the shared SSL
    code will interrogate the socket's FIONBIO ioctl option to
    determine whether the SSL_read or SSL_write should be suspended
    or return immediately with a SSL_ERROR_WANT_READ or
    SSL_ERROR_WANT_WRITE error return code.
    
    - The existing HTTP client package (for example,
    tpf_httpPerform) has been updated to support the latest OpenSSL
    security standards (TLS 1.1 and TLS 1.2).
    
    - The z/TPF REST consumer support has been updated to allow
    REST consumer requests to flow across TLS sessions. The use of
    TLS enabled REST consumer requires APAR PJ45493 as a
    pre-requisite.
    
    This APAR also fixes some minor problems found in the high
    speed connector, enhanced HTTP client, and z/TPF HTTP server.
    
    COREQS: YES
    PJ45493
    
    MIGRATION CONSIDERATIONS: YES
    Functional, automation, and operation changes:
    ZCONN - Updated the syntax of ZCONN START and ZCONN STOP to
    match how the code works.  There is no change in
    functionality.
    
    Application programming interface (API) changes:
    SSL_read() and SSL_write() API functions will return to the
    caller in the same socket blocking mode as they were entered.
    For example, if the socket for SSL_read() or SSL_write() was in
    nonblocking mode, then the function will return in nonblocking
    mode.  This change may cause these functions to return
    SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE return codes for
    the functions if the socket was in nonblocking mode before the
    call.  If your application sets the socket to nonblocking mode
    with the ioctl() socket API function before issuing SSL_read()
    and SSL_write(), your application must check for the
    SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE return codes.
    Otherwise, no changes are necessary to your application.
    
    Hardware, software, and configuration changes:
    The Endpoint Group Descriptor schema file has been updated with
    a new parameter.  See the "Endpoint group descriptor" section
    of the z/TPF Knowledge Center for more details.
    
    Coexistence, migration, and fallback considerations:
    You may use the same default /etc/ssl/httpc.conf SSL
    configuration file that you may have used for the existing HTTP
    client. You also have the option to define additional SSL
    configuration files for specific HTTP client connections as you
    do with the existing HTTP client. See z/TPF Security for
    information on creating the configuration files.
    
    
    
    BUILD COMMANDS AND INSTRUCTIONS: YES
    #maketpf commands for linux
    maketpf -f COMX c524.o
    maketpf -f CTSI ctsi.o
    maketpf -f CHTF httpc_curl_handle.o
    maketpf -f CHTD httpc_daemon_master.o
    maketpf -f CSL5 csslcs.o csslqo.o
    maketpf -f CSSL csslar.o tpf_ssl_cssl.o
    maketpf -f CSL6 csslao.o csslrd.o csslwt.o
    maketpf -f CSL2 csslwb.o
    maketpf -f CHT2 cht2.o
    maketpf -f CHTT chtt.o
    maketpf -f CONM conm.o
    maketpf -f CDMA ept_util.o
    maketpf -f CDMD ept_register.o
    maketpf -f CDMF ept_connect.o
    maketpf -f CDMG ept_monitor.o
    maketpf -f CONS conn_send_message.o
    maketpf -f CONH conn_heartbeat_monitor.o
    maketpf -f CONC conn_command.o
    maketpf -f CHTE httpSendRequest.o httpSendUtils.o
    maketpf COMX link TPF_VERIFY_LINK_REFS=NO
    maketpf CTSI link
    maketpf CHTF link
    maketpf CHTD link TPF_VERIFY_LINK_REFS=NO
    maketpf CSL5 link TPF_VERIFY_LINK_REFS=NO
    maketpf CSSL link
    maketpf CSL6 link
    maketpf CSL2 link
    maketpf CHT2 link
    maketpf CHTT link
    maketpf CONM link
    maketpf CDMA link
    maketpf CDMD link
    maketpf CDMF link TPF_VERIFY_LINK_REFS=NO
    maketpf CDMG link
    maketpf CONS link
    maketpf CONH link
    maketpf CONC link
    maketpf CHTE link
    maketpf COMX link
    maketpf CHTD link
    maketpf CSL5 link
    maketpf CDMF link
    #maketpf commands for z/OS
    maketpf -f ppcp stpp.o
    maketpf ppcp link
    
    UPDATED INFORMATION UNITS: YES
    z/TPF and z/TPFDF Migration Guide: PUT 2 and Later
    z/TPF C/C++ Language Support User's Guide
    z/TPF Deployment Descriptors
    z/TPF Operations
    z/TPF Security
    z/TPF TCP/IP
    
    See your IBM representative if you need additional information.
    
    DOWNLOAD INSTRUCTIONS:
    http://www.ibm.com/software/htp/tpf/pages/maint.htm
    
    APAR URL:
    http://www.ibm.com/software/htp/tpf/ztpfmaint/put15/PJ45258.htm
    

Temporary fix

Comments

APAR Information

  • APAR number

    PJ45258

  • Reported component name

    Z/TPF

  • Reported component ID

    5748T1501

  • Reported release

    110

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-02-26

  • Closed date

    2018-10-30

  • Last modified date

    2018-10-30

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Publications Referenced
SK2T8062        

Fix information

  • Fixed component name

    Z/TPF

  • Fixed component ID

    5748T1501

Applicable component levels



Document information

More support for: TPF
z/TPF

Software version: 110

Reference #: PJ45258

Modified date: 30 October 2018