PK27523: UK15261 PK22736 FAILED TO SHIP MODULE DFHESE.

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• UK15261 PK22736 failed to ship module DFHESE.  This means
  identity assertion will not work as expected.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All CICS users with UK15261 applied.         *
  ****************************************************************
  * PROBLEM DESCRIPTION: Using WS-Security identity assertion    *
  *                      fails because the security checks are   *
  *                      done using the current userid and not   *
  *                      the userid in the SOAP message.         *
  *                                                              *
  *                      ABEND0C4 in DFHSIP which can lead to    *
  *                      CICS terminating when issuing START     *
  *                      requests to remote regions connected    *
  *                      via MRO and the sessions have a preset  *
  *                      userid.                                 *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  When DFHWSSE1 inquires on the security context for a specified
  userid extracted from the incoming SOAP message, the current
  userid for the running task is used instead.  UK15261 failed to
  ship module DFHESE and this prevented the specified userid from
  being passed to DFHXSRC.  DFHXSRC then used the current userid
  to perform the security checking.
  
  UK15261 also failed to update DFHSNAS.  During
  SIGNON_ATI_SESSION processing for a CRSR task DFHUSAD is called
  for INQUIRE_USER processing.  UK15261 increased the DFHUSAD
  parameter list by 8 bytes to incorporate a new SECURITY_TOKEN
  which can be returned.  The parameters passed to DFHUSAD by
  DFHSNAS are at the very end of DFHSNAS stack storage.  DFHUSAD
  returns all of the parameters it is possible to inquire on,
  including the new SECURITY_TOKEN.  This overwrites the 8 bytes
  following the end of the stack entry for DFHSNAS.  This is
  the first 8 bytes of the stack for DFHUSAD and causes register
  14 be overlaid.  When DFHUSAD returns to DFHSNAS it restores
  the now corrupted R14 and will branch to a random location.
  This causes an 0C4 abend in DFHSIP and may lead to CICS
  terminating.
  

Problem conclusion

• UK15261
  Module DFHESE has been shipped containing the required changes
  to pass the specified userid to DFHXSRC.
  
  Module DFHSNAS has been regenerated so that the correct version
  of the DFHUSAD parameter list is now used.  This prevents the
  overlay of the first 8 bytes of DFHUSAD stack storage.
  
  The CICS Transaction Server for z/OS V3.1 Web Services Guide
  (SC34-6458-04) will be updated.  A new section "Prerequisites
  for implementing WS-Security" will be added after the
  introduction in chapter 14 "Support for Web Services Security"
  as follows:
  
  Prerequisites
  
  To implement Web Services Security, you must apply the
  following updates to your CICS  region.
  
    1. Install the free IBM XML Toolkit for z/OS v1.7. You can
       download it from the following site:
       http://www.ibm.com/servers/eserver/zseries/software/xml/.
       You must install version 1.7. Later versions do not work
       with Web Services Security support in CICS.
    2. Apply the PTF for APAR PK22736.
    3. Add the following libraries to the DFHRPL concatenation:
        o hlq.SIXMLOD1
        o hlq.SCLBDLL
        o hlq.SCEERUN
       where hlq is the high level qualifier that was specified
       by the system programmer when the Web Services Security
       APAR was installed.
  
       These libraries contain DLLs that are required at run time
       by DFHWSSE1. IXM4C54 is provided by the XML toolkit and is
       found in hlq.SIXMLOD1; IOSTREAM is provided by the C++
       runtime and is found in hlq.SCLBDLL; C128N is provided by
       the Language Environment runtime and is found in
       hlq.SCEERUN.
  
    4. You might need to increase the value of the EDSALIM system
       initialization parameter. The three DLLs that need to be
       loaded require approximately 15MB of EDSA storage.
  
  If you do not have the libraries specified, you get the
  following message:
  
  CEE3501S The module module_name was not found.
  
  The module_name varies depending on which library is missing.
  

Temporary fix

•             *********
              * HIPER *
              *********
  FIX AVAILABLE BY PTF ONLY
  

Comments

• ž**** PE06/07/28 PTF IN ERROR. SEE APAR PK28761  FOR DESCRIPTION
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Modules/Macros

•    DESABAB  DESDSBRI DESD2D2  DESD2EX1 DESEIPI
  DESIIRR  DESLEPT  DESLI1   DESLI2   DESLI3   DESPICC  DESPICV
  DESPIDC  DESPIDM  DESPIII  DESPIIS  DESPIIT  DESPIIW  DESPILSQ
  DESPIPL  DESPIPM  DESPISC  DESPISN  DESPIST  DESPITL  DESPITRI
  DESPIWR  DESSNAS  DESSNPU  DESSNSG  DESSNSU  DESSNTU  DESSNUS
  DESSNXR  DESSOSE  DESUSAD  DESWBAP  DESWBDM  DESWBRQ  DESWBSR
  DESWBUR  DESWBXM  DESXMXN  DESXSRC  DESZSGN  DFHABAB  DFHAMPI
  DFHAPLI1 DFHAPLI2 DFHAPLI3 DFHAPLJ1 DFHAPLJ3 DFHAPLX1 DFHAPLX3
  DFHBSTS  DFHBSTZO DFHCPI   DFHCURDI DFHCURDM DFHDSAT  DFHDSBRI
  DFHD2D2  DFHD2EX1 DFHEIP   DFHEIPI  DFHEIQPI DFHEIQSA DFHEIQSO
  DFHEIQST DFHERM   DFHESE   DFHICP   DFHICXM  DFHIIRR  DFHKEDS
  DFHKEIN  DFHKEMD  DFHKERN  DFHKESGM DFHKEXM  DFHLEPT  DFHLEPTA
  DFHLEPTD DFHLEPTI DFHLEPTM DFHLEPTO DFHLEPTT DFHLFM   DFHLIFO
  DFHLONGN DFHMEPIE DFHMSGIF DFHPIAP  DFHPICC  DFHPICCA DFHPICCM
  DFHPICCT DFHPIDCC DFHPIDCD DFHPIDM  DFHPIII  DFHPIIIA DFHPIIIM
  DFHPIIIT DFHPIISC DFHPIISI DFHPIIT  DFHPIIW  DFHPIIWA DFHPIIWM
  DFHPIIWT DFHPILSQ DFHPIPL  DFHPIPM  DFHPISB  DFHPISC  DFHPISN
  DFHPISNA DFHPISNC DFHPISND DFHPISNM DFHPISNT DFHPISN1 DFHPISN2
  DFHPIST  DFHPITL  DFHPITLA DFHPITLM DFHPITLT DFHPITP  DFHPITRI
  DFHPIUCC DFHPIUCD DFHPIWR  DFHPIWRA DFHPIWRJ DFHPIWRM DFHPIWRT
  DFHPIWRV DFHSNAS  DFHSNPU  DFHSNSG  DFHSNSGI DFHSNSU  DFHSNTPC
  DFHSNTU  DFHSNUS  DFHSNXR  DFHSOSE  DFHSOSEA DFHSOSEM DFHSOSET
  DFHSOSKO DFHTCRP  DFHTRCIF DFHUSAD  DFHUSADA DFHUSADM DFHUSADT
  DFHWBAP  DFHWBAPF DFHWBDM  DFHWBRQS DFHWBSR  DFHWBUR  DFHWBURA
  DFHWBURC DFHWBURM DFHWBURT DFHWBXM  DFHXMACA DFHXMACM DFHXMACT
  DFHXMATA DFHXMATM DFHXMATT DFHXMIQ  DFHXMIQA DFHXMIQD DFHXMIQM
  DFHXMIQS DFHXMIQT DFHXMIQX DFHXMIQY DFHXMPPA DFHXMPPM DFHXMPPT
  DFHXMXBC DFHXMXBD DFHXMXEA DFHXMXEM DFHXMXET DFHXMXNC DFHXMXND
  DFHXSRC  DFHXSRCA DFHXSRCM DFHXSRCT DFHXTP   DFHZATA2 DFHZSGN
  DFHZTSP  DFH22736 DFJ@H176 MFHMEPIE
  

Fix information

• Fixed component name

  CICSTS 3.1 Z/OS

• Fixed component ID

  5655M1500

Applicable component levels

• R40D PSY UK16031

     UP06/07/26 P F607 ®

• R400 PSY UK16029

     UP06/07/26 P F607 ®

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.