APAR status
Closed as fixed if next.
Error description
CEDA is being used to Add a URIMAP that has an associated certificate. The ADD fails with messages, DFHAM4889 and DFHAM4928 due to not having an associated private key with the certificate. . Prior to the messages being issued, CICS realizes security violation (NOTAUTH) occurred. However, instead of acting upon the NOTAUTH, CICS continues as if a normal response was received . Within the ADD_REPLACE_URIMAP processing of DFHWBUR, DFHXSCT is called for function INQUIRE_CERTIFICATE and CERTIFICATE_LABEL is passed. DFHXSCT calls DFHXSSE for function VALIDATE_CERTIFICATE_LABEL and the security manager is called. . VALIDATE_CERTIFICATE_LABEL fails with a NOTAUTH and DFHXSSE returns to DFHXSCT the following return and reason codes: SAF_RESPONSE(8) SAF_REASON(0) ESM_RESPONSE(10) ESM_REASON(8) . DFHXSCT realizes the bad return and bypasses turning on bit CERTIFICATE_LABEL_OK but then continues on as if no failure occurred. IRRSDL00 is then called several times and other exceptions occurr, for example: . XS 0B02 XSCT EXIT - FUNCTION(INQUIRE_CERTIFICATE) RESPONSE(EXCEPTION) REASON(CERTIFICATE_INVALID) The IRRSDL00 failure is due to not having an associated private key for the certificate being validated. However, we should not even get this far because of the NOTAUTH condition being raised earlier. . Messages DFHAM4889 and DFHAM4928 are issued for the failures AFTER the security violation (NOTAUTH). The NOTAUTH condition needs to be exposed earlier. . The only inidication of the earlier NOTAUTH is a RACF ICH408: . ICH408I USER(userid ) GROUP(groupname) NAME(name) IRR.DIGTCERT.GENCERT CL(FACILITY) INSUFFICIENT ACCESS AUTHORITY ACCESS INTENT(CONTROL) ACCESS ALLOWED(NONE ) . Processing should have stopped after realization of the NOTAUTH condition. . ADDITIONAL KEYWORD(s): VALIDATE CERTIFICATE LABEL SAF INQUIRE CERTIFICATE CERTIFICATE INVALID MSGDFHAM4889 MSGDFHAM4928 MSGICH408 KIXREVJXD
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All CICS users. * **************************************************************** * PROBLEM DESCRIPTION: NOTAUTH response is ignored while * * checking certificate label during * * installation of URIMAP. * **************************************************************** * RECOMMENDATION: * **************************************************************** A URIMAP resource containing a certificate label is installing. DFHWBUR calls ADD_REPLACE_URIMAP to install URIMAP. DFHXSCT then calls INQUIRE_CERTIFICATE to verify the certificate. VALIDATE_CERTIFICATE_LABEL fails due to NO authority of RACF data set. But NOTAUTH response is ignored. IRRSDL00 call is continued to be issued to fetch the private key and return exception xsct_certificate_invalid because the private key does not exist.
Problem conclusion
Temporary fix
FIX AVAILABLE BY PTF ONLY
Comments
This APAR is being closed FIN with concurrence from the submitting customer. This means that a fix to this APAR is expected to be delivered from IBM in a release which is being developed at the time that the APAR was closed. The latest release of the product to exit development at the time this APAR was closed was: CICS Transaction Server for z/OS V4.2. SPA50971 SPA 50971
APAR Information
APAR number
PM61957
Reported component name
CICS TS Z/OS V4
Reported component ID
5655S9700
Reported release
600
Status
CLOSED FIN
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2012-04-05
Closed date
2012-05-10
Last modified date
2012-05-10
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Applicable component levels
R600 PSN
UP
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.1","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
10 May 2012