PM61957: NOTAUTH IGNORGED DURING VALIDATE_CERTIFICATE_LABEL PROCESSING

APAR status

• Closed as fixed if next.

Error description

• CEDA is being used to Add a URIMAP that has an associated
  certificate.  The ADD fails with messages, DFHAM4889 and
  DFHAM4928 due to not having an associated private key with the
  certificate.
  .
     Prior to the messages being issued, CICS realizes security
  violation (NOTAUTH) occurred. However, instead of acting upon
  the NOTAUTH, CICS continues as if a normal response was received
  .
     Within the ADD_REPLACE_URIMAP processing of DFHWBUR,
  DFHXSCT is called for function INQUIRE_CERTIFICATE
  and CERTIFICATE_LABEL is passed. DFHXSCT calls DFHXSSE for
  function VALIDATE_CERTIFICATE_LABEL and the security manager
  is called.
  .
  VALIDATE_CERTIFICATE_LABEL fails with a NOTAUTH and DFHXSSE
  returns to DFHXSCT the following return and reason codes:
  SAF_RESPONSE(8) SAF_REASON(0) ESM_RESPONSE(10) ESM_REASON(8)
  .
  DFHXSCT realizes the bad return and bypasses turning on bit
  CERTIFICATE_LABEL_OK but then continues on as if no failure
  occurred.  IRRSDL00 is then called several times and other
  exceptions occurr, for example:
  .
  XS 0B02 XSCT  EXIT - FUNCTION(INQUIRE_CERTIFICATE)
                       RESPONSE(EXCEPTION)
                       REASON(CERTIFICATE_INVALID)
  The IRRSDL00 failure is due to not having an associated
  private key for the certificate being validated. However, we
  should not even get this far because of the NOTAUTH condition
  being raised earlier.
  .
  Messages DFHAM4889 and DFHAM4928 are issued for the failures
  AFTER the security violation (NOTAUTH). The NOTAUTH condition
  needs to be exposed earlier.
  .
  The only inidication of the earlier NOTAUTH is a RACF ICH408:
  .
  ICH408I USER(userid ) GROUP(groupname) NAME(name)
    IRR.DIGTCERT.GENCERT CL(FACILITY)
    INSUFFICIENT ACCESS AUTHORITY
    ACCESS INTENT(CONTROL)  ACCESS ALLOWED(NONE   )
  .
  Processing should have stopped after realization of the
  NOTAUTH condition.
  .
  ADDITIONAL KEYWORD(s):  VALIDATE CERTIFICATE LABEL  SAF
                          INQUIRE CERTIFICATE  CERTIFICATE INVALID
                          MSGDFHAM4889 MSGDFHAM4928 MSGICH408
  
  KIXREVJXD
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All CICS users.                              *
  ****************************************************************
  * PROBLEM DESCRIPTION: NOTAUTH response is ignored while       *
  *                      checking certificate label during       *
  *                      installation of URIMAP.                 *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  A URIMAP resource containing a certificate label is installing.
  DFHWBUR calls ADD_REPLACE_URIMAP to install URIMAP. DFHXSCT
  then calls INQUIRE_CERTIFICATE to verify the certificate.
  VALIDATE_CERTIFICATE_LABEL fails due to NO authority of
  RACF data set.
  But NOTAUTH response is ignored. IRRSDL00 call is continued
  to be issued to fetch the private key and return exception
  xsct_certificate_invalid because the private key does not
  exist.
  

Problem conclusion

Temporary fix

• FIX AVAILABLE BY PTF ONLY
  

Comments

• This APAR is being closed FIN with concurrence from the
  submitting customer.  This means that a fix to this APAR is
  expected to be delivered from IBM in a release which is being
  developed at the time that the APAR was closed.
  The latest release of the product to exit development at the
  time this APAR was closed was:
    CICS Transaction Server for z/OS V4.2.
  SPA50971 SPA 50971
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

• R600 PSN

     UP