A fix is available
APAR status
Closed as program error.
Error description
You are running CICS Transaction Server 3.2 using CICS web support. When issuing a NETSTAT command you notice many sockets in status: ClosWait. A dump taken of CICS shows there are corresponding SOCKET OBJECT control blocks that are orphaned. They indicate they are in 'closed' status, but CICS has not performed the close on them. Further investigation found a correlation between these sockets in ClosWait status, and a security violation that occurred. Here is an example of a security violation message: ICH408I USER(DFLTUSER) GROUP(xxxxxxxx) NAME(CICS DEFAULT USER ) CWBA CL(TCICSTRN) INSUFFICIENT ACCESS AUTHORITY FROM *.CWBA (G) ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) These orphaned sockets count towards MAXSOCKETS and eventually you could run out of sockets if you have many of these errors. It turns out sockets will be left in CLOSWAIT status whenever any deferred abend occurs during the INIT phase of initialising a web alias task, when that abend wasn't issued by DFHWBXM. Additional keywords: closewait tcpip socket object soso_notify_socket_closed KIXREVCEW
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All CICS users * **************************************************************** * PROBLEM DESCRIPTION: CICS sockets are left in CLOSEWAIT * * status in TCPIP. CICS is not closing * * the sockets after a security failure. * **************************************************************** * RECOMMENDATION: * **************************************************************** CICS receives an HTTP request. CWXN attaches the alias task and selects the userid that the task will run under. The socket is then reserved for the alias task to use. The alias task starts up and DFHWBXM is driven for INIT_XM_CLIENT. This performs an ADD_USER_WITHOUT_PASSWORD call, the userid is valid so the call is successful. After the INIT phase has completed transaction manager issues a DFHXSRC CHECK_RESOURCE_ACCESS call as the XTRAN SIT parameter is not set to NO and SEC=YES has been specified. The userid is checked and found to NOT have access to run the alias task. The consequent ABEND is deferred. DFHWBXM subsequently runs for BIND_XM_CLIENT and, on finding the deferred ABEND, issues a message and sends an error response back to the client. DFHWBXM then calls WebRequest_tidyup to clean up all the web storage. A new async receive gets issued and the task ends. This processing fails to issue a DFHSOCK ESTABLISH call to tell sockets domain that a task is using the socket. Not doing the ESTABLISH has left the earlier RESERVE done by CWXN outstanding. When the alias task ends the socket does not get relinquished. This means that when the socket is finally closed by the client it will still exist in CICS because sockets domain believes there is still a task waiting to start up that wants to use the socket. These orphaned sockets count towards MAXSOCKETS, so if the problem persists CICS can potentially run out of sockets. Additional keywords: ICH408I MSGICH408I ICH408 MSGICH408 DFHWB0361 MSGDFHWB0361 ACF2 ABENDACF2
Problem conclusion
DFHWBXM has been changed to issue a DFHSOCK ESTABLISH call to inform sockets domain that the alias task is using the socket. When the alias task ends the socket will now get relinquished.
Temporary fix
FIX AVAILABLE BY PTF ONLY
Comments
APAR Information
APAR number
PK97630
Reported component name
CICS TS Z/OS V4
Reported component ID
5655S9700
Reported release
600
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2009-10-01
Closed date
2009-10-14
Last modified date
2009-11-04
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UK50983
Modules/Macros
DESWBAP DESWBDM DESWBRQ DESWBRQF DESWBSR DESWBXM DFHWBAP DFHWBAPA DFHWBAPF DFHWBAPJ DFHWBAPM DFHWBAPT DFHWBAPV DFHWBDM DFHWBRQD DFHWBRQS DFHWBSR DFHWBSRA DFHWBSRM DFHWBSRT DFHWBXM DFHWBXMA DFHWBXMT
Fix information
Fixed component name
CICS TS Z/OS V4
Fixed component ID
5655S9700
Applicable component levels
R600 PSY UK50983
UP09/10/19 P F910
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.1","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
04 November 2009