A fix is available
APAR status
Closed as program error.
Error description
An automated network security testing tool was used to attack a CICS SSL TCPIPSERVICE. The connection attempt is not successful, but in one scenario it caused CICS to take a system dump. . The following messages appear in the CICS Log: . DFHSO0123 REGNNAME Return code 439 received from function 'gsk_secure_socket_init' of System SSL. Reason: Unrecognized return code. Peer: xxx.xx.xxx.xx, TCPIPSERVICE: SERVNAME. . . DFHWB0732 REGNNAME CWXN CICS Web attach processing encountered a sockets I/O error while receiving a client request. Host IP address: xxx.xxx.xx.xx. Client IP address: xxx.xx.xxx.xx. TCPIPSERVICE: SERVNAME . . DFHSO0002 REGNNAME A severe error (code X'080C') has occurred in module DFHSOSE. . . Need to prevent the DFHSO0002 Dump from being produced and and a more useful description of the return code 439.
Local fix
KIXREVEPH
Problem summary
**************************************************************** * USERS AFFECTED: All CICS Users * **************************************************************** * PROBLEM DESCRIPTION: Several System SSL response codes are * * unhandled by CICS. * **************************************************************** * RECOMMENDATION: * **************************************************************** Several System SSL response codes that can be triggered by client side errors result in DFHSO0002 messages in CICS, followed by a system dump. Message DFHSO0123 is issued to report error codes from System SSL in both client and server modes. In some unexpected scenarios a system dump is also collected to provide additional diagnostics. A dump should not be issued for codes that can be caused by external network activity. Additional keywords: msgDFHSO0123 msgDFHSO0002 SO0123 SO0002 080C
Problem conclusion
DFHSOSE has been changed to treat the following System SSL error codes as client-side errors. CICS will not take a Dump if any of these error codes are encountered: GSK_ERR_INTERNAL_ERROR_ALERT (code 438)* GSK_ERR_UNKNOWN_ALERT (code 439) GSK_ERR_INCORRECT_KEY_USAGE (code 440)* GSK_ERR_CLIENT_AUTH_ALERT (code 441)* CICS has also been changed to add interpretation to message DFHSO0123 for the following System SSL error codes: GSK_ERR_INTERNAL_ERROR_ALERT (code 438)* GSK_ERR_UNKNOWN_ALERT (code 439)* GSK_ERR_INCORRECT_KEY_USAGE (code 440)* GSK_ERR_CLIENT_AUTH_ALERT (code 441)* GSK_ERR_UNRECOGNIZED_NAME (code 448)* The CICS Trace formatter has been updated to interpet the following System SSL error codes: GSK_ERR_INCORRECT_KEY_USAGE (code 440)* GSK_ERR_CLIENT_AUTH_ALERT (code 441)* GSK_ERR_MULTIPLE_LABEL (code 442)* GSK_ERR_MULTIPLE_DEFAULT (code 443)* GSK_ERR_RNG (code 444) GSK_ERR_DB_NOT_FIPS (code 445) GSK_ERR_TLS_EXTENSION_MISMATCH (code 446) GSK_ERR_REQUIRED_TLS_EXTENSION (code 447) GSK_ERR_UNRECOGNIZED_NAME (code 448) GSK_ERR_INVALID_FRAGMENT_LENGTH (code 449) GSK_ERR_BAD_MSG_LEN (code 450) GSK_ERR_RENEGOTIATION_INDICATION (code 460) GSK_ERR_TASK_MODE_REQUIRED (code 506) GSK_INVALID_FUNCTION (code 603) GSK_ERR_CIPHER_RESET_REQUIRED (code 604) GSK_ATTRIBUTE_INVALID_PARAMETER (code 706)* GSK_ATTRIBUTE_INVALID_TLS_EXTENSION (code 707) GSK_ATTRIBUTE_INVALID_TLS_EXT_DATA (code 708) Many of these changes are included in the base version of CICS TS V4.2. The changes marked (*) are only in the CICS TS V4.1 PTF. Documentation Changes: The CICS Transaction Server for z/OS Version 4 Release 1 Messages and Codes book, GC34-7035-02, has been altered as follows: In Section 'DFHSOnnnn messages': DFHSO0123 DATE TIME APPLID RETURN CODE RC RECEIVED FROM FUNCTION ' {UNKNOWN | GSK_ENVIRONMENT_INIT | GSK_ENVIRONMENT_OPEN | GSK_ENVIRONMENT_CLOSE | GSK_SECURE_SOCKET_INIT | GSK_SECURE_SOCKET_OPEN | GSK_SECURE_SOCKET_CLOSE | GSK_SECURE_SOCKET_READ | GSK_SECURE_SOCKET_WRITE | GSK_ATTRIBUTE_SET_BUFFER | GSK_ATTRIBUTE_SET_CALLBACK | GSK_ATTRIBUTE_SET_ENUM | GSK_ATTRIBUTE_SET_NUMERIC_VALUE} ' OF SYSTEM SSL. REASON: {UNRECOGNIZED RETURN CODE | KEY DATABASE NOT FOUND | KEY DATABASE ACCESS NOT AUTHORIZED | INVALID PASSWORD FOR KEY DATABASE | EXPIRED PASSWORD FOR KEY DATABASE | STASHED PASSWORD FILE NOT FOUND | SESSION TIMEOUT VALUE IS INVALID | AN I/O ERROR OCCURRED | AN UNKNOWN ERROR OCCURRED | INVALID DISTINGUISHED NAME | NO COMMON CIPHERS NEGOTIATED | NO CERTIFICATE AVAILABLE | CERTIFICATE REJECTED BY PEER | ROOT CERTIFICATE AUTHORITY NOT SUPPORTED | UNSUPPORTED OPERATION | INVALID CERTIFICATE SIGNATURE | SSL PROTOCOL VIOLATION | NOT AUTHORIZED | SELF-SIGNED CERTIFICATE | INVALID SESSION STATE | HANDLE CREATION FAILED | NO PRIVATE KEY | UNTRUSTED CERTIFICATE AUTHORITY | CERTIFICATE DATE INVALID | INVALID CIPHER SUITE | HANDSHAKE ABANDONED BY PEER | CANNOT OPEN KEY DATABASE | HOST CERTIFICATE NOT YET VALID | CERTIFICATE PARSING ERROR | CERTIFICATE IS REVOKED | LDAP SERVER IS INACTIVE | UNKNOWN CERTIFICATE AUTHORITY | INTERNAL ERROR ON PARTNER | UNKNOWN ALERT RECEIVED | CLIENT AUTHENTICATION ALERT | INCORRECT KEY USAGE | SERVER NAME NOT RECOGNIZED} . PEER: PEERADDR , TCPIPSERVICE: TCPIPSERVICE . EXPLANATION: A non-zero return code rc was received from the specified function of the z/OS System SSL service. A brief interpretation of the return code is shown. The service was processing a connection with a partner at IP address peeraddr to TCPIPSERVICE tcpipservice . SYSTEM ACTION: The secure sockets operation is abandoned. A sockets domain severe error message, DFHSO0002, may be produced with error code X'080C'. USER RESPONSE: If this message is not accompanied by message DFHSO0002, the error is probably due to some unexpected action by the connected partner, and this message is for information only. If this message is accompanied by message DFHSO0002, the error is probably due to some sort of configuration error. Use the description in the message to determine what is wrong. For descriptions of the return code rc , see z/OS System SSL Programming , SC24-5901. For further guidance see the CICS Internet Guide . NOTE: If the brief interpretation of the return code is Certificate date invalid the certificate may either have expired or be not yet valid, and may refer to either the local certificate or the remote partner's certificate. DESTINATION: CSOO MODULE: DFHSOSE XMEOUT PARAMETERS: date, time, applid, rc, {0=unknown, 11=gsk_environment_init, 12=gsk_environment_open, 13=gsk_environment_close, 14=gsk_secure_socket_init, 15=gsk_secure_socket_open, 16=gsk_secure_socket_close, 17=gsk_secure_socket_read, 18=gsk_secure_socket_write, 19=gsk_attribute_set_buffer, 20=gsk_attribute_set_callback, 21=gsk_attribute_set_enum, 22=gsk_attribute_set_numeric_value}, {0=Unrecognized return code, 1=Key database not found, 2=Key database access not authorized, 3=Invalid password for key database, 4=Expired password for key database, 5=Stashed password file not found, 6=Session timeout value is invalid, 7=An I/O error occurred, 8=An unknown error occurred, 16=Invalid distinguished name, 17=No common ciphers negotiated, 18=No certificate available, 19=Certificate rejected by peer, 20=Root certificate authority not supported, 21=Unsupported operation, 22=Invalid certificate signature, 23=SSL protocol violation, 24=Not authorized, 25=Self-signed certificate, 26=Invalid session state, 27=Handle creation failed, 28=No private key, 29=Untrusted Certificate Authority, 30=Certificate date invalid, 31=Invalid cipher suite, 32=Handshake abandoned by peer, 33=Cannot open key database, 34=Host certificate not yet valid, 35=Certificate parsing error, 36=Certificate is revoked, 37=LDAP server is inactive, 38=Unknown Certificate Authority, 39=Internal error on partner, 40=Unknown alert received, 41=Client authentication alert, 42=Incorrect key usage, 43=Server name not recognized}, peeraddr, tcpipservice
Temporary fix
FIX AVAILABLE BY PTF ONLY
Comments
APAR Information
APAR number
PM53329
Reported component name
CICS TS Z/OS V4
Reported component ID
5655S9700
Reported release
600
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2011-12-01
Closed date
2012-01-23
Last modified date
2012-03-22
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UK75656 UK75657 PM60971
Modules/Macros
DESSOSE DESSOTRI DFHMESOC DFHMESOE DFHMESOK DFHSOSE DFHSOSEA DFHSOSEM DFHSOSET DFHSOSKO DFHSOTRI DFH53329
| GC34703502 |
Fix information
Fixed component name
CICS TS Z/OS V4
Fixed component ID
5655S9700
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.1","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
22 March 2012